Vendor: SAP Product: SAP Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 174 70 29 12 12 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access account-creation ↳sap-s-cef-user-create-success-created account-deleted ↳sap-s-cef-user-delete-success-deleted account-lockout ↳sap-s-cef-user-lock-success-locked account-password-change ↳sap-s-cef-user-password-modify-success-changed ↳sap-s-cef-user-password-modify-success-loginforsso account-unlocked ↳sap-s-cef-user-unlock-success-unlocked app-login ↳sap-s-kv-network-session-functioncall ↳sap-s-cef-network-session-rfccallsuccess ↳sap-s-cef-app-login-success-dialoglogonsuccessful authentication-failed ↳sap-s-cef-endpoint-login-fail-secude authentication-successful ↳sap-s-cef-endpoint-login-success-assertion-1 ↳sap-s-cef-endpoint-login-success-assertion failed-app-login ↳sap-s-cef-app-login-fail-dialoglogonfailed remote-logon ↳sap-s-cef-app-logout-userlogoff ↳sap-s-cef-app-notification-success-attribute ↳sap-s-cef-app-notification-accessbyrfc ↳sap-s-cef-app-notification-success-cbus ↳sap-s-cef-app-notification-transactionstarted ↳sap-s-cef-app-notification-success-bul ↳sap-s-cef-app-notification-transactionfailed ↳sap-s-cef-app-notification-success-nameid ↳sap-s-cef-app-notification-reportstarted ↳sap-s-cef-app-notification-success-bu4 ↳sap-s-cef-app-notification-messagecu1 ↳sap-s-cef-app-notification-success-e00 ↳sap-s-cef-app-notification-success-h01 ↳sap-s-cef-app-notification-success-bi0 ↳sap-s-cef-app-notification-success-duz ↳sap-s-cef-app-notification-success-eg0 ↳sap-s-cef-app-notification-success-cub ↳sap-s-cef-app-notification-success-aud ↳sap-s-cef-app-notification-success-geo ↳sap-s-cef-endpoint-login-fail-cpiclogonfail ↳sap-s-cef-endpoint-login-success-cpiclogonsuccessful T1021 - Remote ServicesT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1110 - Brute ForceT1133 - External Remote Services 36 Rules14 Models Account Manipulation account-creation ↳sap-s-cef-user-create-success-created account-deleted ↳sap-s-cef-user-delete-success-deleted account-password-change ↳sap-s-cef-user-password-modify-success-changed ↳sap-s-cef-user-password-modify-success-loginforsso T1098 - Account ManipulationT1136 - Create AccountT1136.001 - Create Account: Create: Local AccountT1136.002 - T1136.002T1531 - Account Access Removal 22 Rules8 Models Brute Force Attack account-lockout ↳sap-s-cef-user-lock-success-locked T1110 - Brute Force 1 Rules Data Exfiltration file-write ↳sap-s-cef-file-write-success-download TA0002 - TA0002 2 Rules1 Models Data Leak file-write ↳sap-s-cef-file-write-success-download T1114.001 - T1114.001 1 Rules Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing Application Create AccountExternal Remote ServicesValid AccountsServer Software Component: Web ShellAccount ManipulationServer Software ComponentBoot or Logon Autostart ExecutionCreate Account: Create: Local Account Valid AccountsExploitation for Privilege EscalationBoot or Logon Autostart Execution Valid AccountsUse Alternate Authentication MaterialUse Alternate Authentication Material: Pass the HashUse Alternate Authentication Material: Pass the TicketValid Accounts: Local Accounts OS Credential DumpingBrute ForceSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: Kerberoasting File and Directory DiscoveryRemote System Discovery Remote ServicesUse Alternate Authentication Material Email Collection Proxy: Multi-hop ProxyProxy Account Access RemovalData Encrypted for Impact