Use Case: Audit Tampering

Vendor: BeyondTrust

Product	Event Types	MITRE ATT&CK® TTP	Content
BeyondTrust PowerBroker	privileged-access process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
BeyondTrust Privilege Management	local-logon process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Cisco

Product	Event Types	MITRE ATT&CK® TTP	Content
Adaptive Security Appliance	authentication-failed authentication-successful dns-response failed-logon failed-vpn-login file-download file-upload nac-logon network-connection-successful process-created remote-logon vpn-login vpn-logout web-activity-denied	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Firepower	authentication-successful dns-query dns-response failed-vpn-login file-download nac-logon netflow-connection network-alert network-connection-failed network-connection-successful process-created security-alert vpn-login vpn-logout web-activity-allowed web-activity-denied	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
NPE	process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
TACACS	authentication-failed process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Citrix

Product	Event Types	MITRE ATT&CK® TTP	Content
Citrix Netscaler	app-login authentication-failed failed-vpn-login process-created vpn-login vpn-logout	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: CrowdStrike

Product	Event Types	MITRE ATT&CK® TTP	Content
Falcon	app-activity app-activity-failed app-login authentication-failed batch-logon computer-logon config-change dlp-alert dns-query failed-app-login file-alert file-delete file-download file-read file-write local-logon network-connection-successful process-alert process-created process-network remote-access remote-logon security-alert service-logon task-created usb-activity usb-insert usb-write workstation-unlocked	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Delinea

Product	Event Types	MITRE ATT&CK® TTP	Content
Centrify Infrastructure Services	process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Digital Guardian

Product	Event Types	MITRE ATT&CK® TTP	Content
Digital Guardian Endpoint Protection	app-activity app-login dlp-email-alert-out file-delete file-download file-read file-upload file-write local-logon network-connection-failed network-connection-successful print-activity process-created usb-insert usb-write	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Dtex Systems

Product	Event Types	MITRE ATT&CK® TTP	Content
DTEX InTERCEPT	file-delete file-read file-write local-logon print-activity process-created remote-logon usb-write web-activity-allowed workstation-locked workstation-unlocked	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: F5

Product	Event Types	MITRE ATT&CK® TTP	Content
F5 Advanced Web Application Firewall (WAF)	account-switch dlp-email-alert-out network-alert network-connection-failed network-connection-successful process-created remote-logon	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: HP

Product	Event Types	MITRE ATT&CK® TTP	Content
HP Comware	process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: HelpSystems

Product	Event Types	MITRE ATT&CK® TTP	Content
Powertech Identity Access Manager (BoKs)	account-switch file-delete file-read file-write local-logon process-created remote-logon	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Huawei

Product	Event Types	MITRE ATT&CK® TTP	Content
Unified Security Gateway	authentication-successful network-alert process-created vpn-login	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Juniper Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Juniper Networks	config-change process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: LanScope

Product	Event Types	MITRE ATT&CK® TTP	Content
LanScope Cat	app-activity dlp-alert failed-usb-activity file-delete file-write local-logon print-activity process-created process-created-failed process-network usb-activity usb-write web-activity-allowed workstation-locked workstation-unlocked	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: LogRhythm

Product	Event Types	MITRE ATT&CK® TTP	Content
LogRhythm	process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Microsoft

Product	Event Types	MITRE ATT&CK® TTP	Content
Azure	account-password-change app-activity app-activity-failed app-login authentication-failed authentication-successful cloud-admin-activity cloud-admin-activity-failed database-query dns-query failed-app-login file-delete file-download file-read file-upload file-write image-loaded member-added member-removed network-alert network-connection-failed network-connection-successful process-created remote-logon security-alert storage-access storage-activity storage-activity-failed usb-activity usb-insert	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Defender ATP	app-login batch-logon failed-logon file-delete file-write local-logon member-added member-removed process-created process-network process-network-failed remote-access remote-logon security-alert service-logon	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Office 365	account-password-change app-activity app-activity-failed app-login dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login file-delete file-download file-permission-change file-read file-upload file-write process-created security-alert usb-write	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Sysmon	dns-query file-delete file-write image-loaded process-alert process-created process-network registry-write	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-change-failed account-password-reset account-switch account-unlocked app-login audit-log-clear audit-policy-change authentication-failed authentication-successful batch-logon computer-logon config-change dcom-activation-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-failed-logon nac-logon network-connection-successful ntlm-logon privileged-access privileged-object-access process-created process-network process-network-failed registry-write remote-access remote-logon security-alert service-created service-logon share-access share-access-denied task-created usb-activity usb-insert vpn-login vpn-logout winsession-disconnect workstation-locked workstation-unlocked	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.002 - T1562.002 T1562.006 - T1562.006	12 Rules 2 Models

Vendor: ObserveIT

Product	Event Types	MITRE ATT&CK® TTP	Content
ObserveIT	app-activity app-login database-access dlp-alert failed-app-login process-created remote-logon security-alert	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Oracle

Product	Event Types	MITRE ATT&CK® TTP	Content
Solaris	process-created process-created-failed	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: SentinelOne

Product	Event Types	MITRE ATT&CK® TTP	Content
Singularity	app-activity dns-query dns-response file-alert file-delete file-read file-write network-alert network-connection-failed network-connection-successful process-alert process-created registry-write security-alert task-created web-activity-allowed	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: SkySea

Product	Event Types	MITRE ATT&CK® TTP	Content
ClientView	app-activity app-login dlp-email-alert-out file-delete file-download file-read file-upload file-write print-activity process-created security-alert share-access usb-activity web-activity-allowed web-activity-denied	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Symantec

Product	Event Types	MITRE ATT&CK® TTP	Content
Symantec EDR	authentication-successful file-alert file-delete file-write process-created remote-logon security-alert	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Tanium

Product	Event Types	MITRE ATT&CK® TTP	Content
Endpoint Platform	authentication-failed authentication-successful dns-response process-created security-alert	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Integrity Monitor	file-delete file-permission-change file-write network-connection-failed network-connection-successful process-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: Unix

Product	Event Types	MITRE ATT&CK® TTP	Content
Auditbeat	app-activity app-activity-failed authentication-successful process-created process-network process-network-failed	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Unix	account-creation account-deleted account-lockout account-password-change account-switch authentication-failed authentication-successful batch-logon computer-logon dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon file-delete file-permission-change file-read file-write kerberos-logon local-logon member-added member-removed process-created process-created-failed remote-access remote-logon security-alert task-created	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Unix Auditd	account-creation account-deleted account-password-change account-switch app-activity-failed authentication-failed authentication-successful failed-logon local-logon member-added member-removed process-created process-created-failed remote-logon	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Vendor: VMware

Product	Event Types	MITRE ATT&CK® TTP	Content
Carbon Black App Control	app-login file-alert file-download file-write local-logon process-alert process-created security-alert usb-activity usb-insert workstation-locked workstation-unlocked	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Carbon Black Cloud Endpoint Standard	app-login authentication-successful failed-app-login file-write network-connection-failed network-connection-successful process-created registry-write security-alert	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Carbon Black Cloud Enterprise EDR	authentication-successful file-write network-connection-failed network-connection-successful process-alert process-created registry-write security-alert	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Carbon Black EDR	file-alert file-delete file-read file-write network-connection-failed network-connection-successful process-alert process-created process-created-failed process-network security-alert	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

uc_audit_tampering.md

uc_audit_tampering.md

Use Case: Audit Tampering

Vendor: BeyondTrust

Vendor: Cisco

Vendor: Citrix

Vendor: CrowdStrike

Vendor: Delinea

Vendor: Digital Guardian

Vendor: Dtex Systems

Vendor: F5

Vendor: HP

Vendor: HelpSystems

Vendor: Huawei

Vendor: Juniper Networks

Vendor: LanScope

Vendor: LogRhythm

Vendor: Microsoft

Vendor: ObserveIT

Vendor: Oracle

Vendor: SentinelOne

Vendor: SkySea

Vendor: Symantec

Vendor: Tanium

Vendor: Unix

Vendor: VMware

Files

uc_audit_tampering.md

Latest commit

History

uc_audit_tampering.md

File metadata and controls

Use Case: Audit Tampering

Vendor: BeyondTrust

Vendor: Cisco

Vendor: Citrix

Vendor: CrowdStrike

Vendor: Delinea

Vendor: Digital Guardian

Vendor: Dtex Systems

Vendor: F5

Vendor: HP

Vendor: HelpSystems

Vendor: Huawei

Vendor: Juniper Networks

Vendor: LanScope

Vendor: LogRhythm

Vendor: Microsoft

Vendor: ObserveIT

Vendor: Oracle

Vendor: SentinelOne

Vendor: SkySea

Vendor: Symantec

Vendor: Tanium

Vendor: Unix

Vendor: VMware