Use-Case | Event Types/Parsers | MITRE ATT&CK® TTP | Content |
---|---|---|---|
Compromised Credentials | failed-logon ↳f5-ssh-failed-logon failed-vpn-login ↳f5-vpn-login-failed remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start vpn-logout ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info |
T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets |
|
Lateral Movement | authentication-failed ↳f5-vpn-auth-failed failed-logon ↳f5-ssh-failed-logon failed-vpn-login ↳f5-vpn-login-failed network-connection-successful ↳f5-network-connection-1 remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start vpn-logout ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info |
T1018 - Remote System Discovery T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1071 - Application Layer Protocol T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1110 - Brute Force T1110.003 - T1110.003 T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting TA0010 - TA0010 TA0011 - TA0011 |
|
Malware | failed-logon ↳f5-ssh-failed-logon network-connection-successful ↳f5-network-connection-1 remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start |
T1078 - Valid Accounts T1210 - Exploitation of Remote Services T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002 TA0011 - TA0011 |
|
Privilege Abuse | failed-logon ↳f5-ssh-failed-logon remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start vpn-logout ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info |
T1078 - Valid Accounts T1078.002 - T1078.002 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1133 - External Remote Services |
|
Ransomware | authentication-failed ↳f5-vpn-auth-failed failed-logon ↳f5-ssh-failed-logon failed-vpn-login ↳f5-vpn-login-failed remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start |
T1078 - Valid Accounts |
|