Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	failed-logon ↳f5-ssh-failed-logon failed-vpn-login ↳f5-vpn-login-failed remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start vpn-logout ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	61 Rules 27 Models
Lateral Movement	authentication-failed ↳f5-vpn-auth-failed failed-logon ↳f5-ssh-failed-logon failed-vpn-login ↳f5-vpn-login-failed network-connection-successful ↳f5-network-connection-1 remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start vpn-logout ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info	T1018 - Remote System Discovery T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1071 - Application Layer Protocol T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1110 - Brute Force T1110.003 - T1110.003 T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting TA0010 - TA0010 TA0011 - TA0011	90 Rules 34 Models
Malware	failed-logon ↳f5-ssh-failed-logon network-connection-successful ↳f5-network-connection-1 remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start	T1078 - Valid Accounts T1210 - Exploitation of Remote Services T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002 TA0011 - TA0011	10 Rules 2 Models
Privilege Abuse	failed-logon ↳f5-ssh-failed-logon remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start vpn-logout ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info	T1078 - Valid Accounts T1078.002 - T1078.002 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1133 - External Remote Services	15 Rules 9 Models
Ransomware	authentication-failed ↳f5-vpn-auth-failed failed-logon ↳f5-ssh-failed-logon failed-vpn-login ↳f5-vpn-login-failed remote-logon ↳f5-ssh-login-successful vpn-login ↳f5-vpn-user ↳f5-vpn-policy ↳f5-vpn-additional-info ↳f5-vpn-assign-ip ↳f5-vpn-session-start ↳cef-f5-vpn-start-1 ↳f5-vpn-session-start	T1078 - Valid Accounts	1 Rules

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2_ds_f5_f5_big-ip.md

2_ds_f5_f5_big-ip.md

Files

2_ds_f5_f5_big-ip.md

Latest commit

History

2_ds_f5_f5_big-ip.md

File metadata and controls