Skip to content

Instantly share code, notes, and snippets.

@brokensound77
Created March 11, 2023 05:56
Show Gist options
  • Save brokensound77/420bc801592715c00af2dd0775f59901 to your computer and use it in GitHub Desktop.
Save brokensound77/420bc801592715c00af2dd0775f59901 to your computer and use it in GitHub Desktop.
Event category and field distribution over ATT&CK techniques

Event category and field distribution over ATT&CK techniques

Analysis of Elastic detection-rules, showing event types and field distribution per technique. The full results are represented in the file below (fields_by_technique.json)

The structure is:

"library": {                                       # event.category (generic if event.category not defined)
      "fields": {                                  # field distribution for that event.category within that technique
        "dll.code_signature.status": "100.00%",    # field with percentage
        "dll.code_signature.trusted": "100.00%",   # field with percentage
        "host.os.type": "100.00%",                 # field with percentage
        "process.pid": "100.00%"                   # field with percentage
      },
      "rule_count": 1                              # number of rules within this technique + event.category

Ex:

"T1553": {
    "generic": {
      "fields": {
        "event.provider": "100.00%",
        "host.os.type": "100.00%",
        "message": "100.00%"
      },
      "rule_count": 1
    },
    "library": {
      "fields": {
        "dll.code_signature.status": "100.00%",
        "dll.code_signature.trusted": "100.00%",
        "host.os.type": "100.00%",
        "process.pid": "100.00%"
      },
      "rule_count": 1
    },
    "process": {
      "fields": {
        "event.category": "66.67%",
        "event.type": "100.00%",
        "host.os.type": "100.00%",
        "process.args": "100.00%",
        "process.executable": "33.33%",
        "process.name": "66.67%",
        "process.parent.executable": "33.33%",
        "process.pe.original_file_name": "33.33%"
      },
      "rule_count": 3
    },
    "registry": {
      "fields": {
        "event.type": "100.00%",
        "host.os.type": "100.00%",
        "process.executable": "33.33%",
        "registry.data.strings": "66.67%",
        "registry.path": "100.00%",
        "registry.value": "33.33%"
      },
      "rule_count": 3
    }
  }

For technique T1553, the following event types were present on the specified number of rules:

  • 1 generic
  • 1 library
  • 3 process
  • 3 registry

And the respective fields per event.category were present relative to those counts as defined

<
{
"T1003": {
"any": {
"fields": {
"event.action": "75.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "25.00%",
"winlog.event_data.AccessMask": "75.00%",
"winlog.event_data.AccessMaskDescription": "25.00%",
"winlog.event_data.ObjectName": "25.00%",
"winlog.event_data.ProcessName": "25.00%",
"winlog.event_data.Properties": "50.00%",
"winlog.event_data.Resource": "25.00%",
"winlog.event_data.SchemaFriendlyName": "25.00%",
"winlog.event_data.SubjectLogonId": "25.00%",
"winlog.event_data.SubjectUserName": "25.00%",
"winlog.event_data.SubjectUserSid": "25.00%",
"winlog.process.pid": "25.00%"
},
"rule_count": 4
},
"any,iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.PrivilegeList": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%"
},
"rule_count": 1
},
"any,library,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
},
"authentication,file": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.id": "100.00%",
"user.name": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "33.33%",
"file.Ext.header_bytes": "33.33%",
"file.name": "66.67%",
"file.path": "33.33%",
"file.size": "33.33%",
"host.os.type": "100.00%",
"process.executable": "33.33%",
"process.name": "33.33%",
"process.pid": "33.33%",
"user.id": "33.33%"
},
"rule_count": 3
},
"generic": {
"fields": {
"endgame.event_subtype_full": "66.67%",
"endgame.metadata.type": "66.67%",
"event.action": "100.00%",
"event.code": "33.33%",
"event.kind": "66.67%",
"event.module": "66.67%",
"host.os.type": "33.33%",
"winlog.event_data.Properties": "33.33%",
"winlog.event_data.SubjectUserName": "33.33%"
},
"rule_count": 3
},
"library": {
"fields": {
"dll.code_signature.status": "100.00%",
"dll.code_signature.subject_name": "100.00%",
"dll.hash.sha256": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "8.70%",
"event.category": "34.78%",
"event.code": "30.43%",
"event.dataset": "4.35%",
"event.type": "52.17%",
"file.name": "4.35%",
"file.pe.imphash": "4.35%",
"file.pe.original_file_name": "4.35%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "17.39%",
"process.args": "47.83%",
"process.args_count": "4.35%",
"process.command_line": "8.70%",
"process.entity_id": "4.35%",
"process.executable": "17.39%",
"process.name": "52.17%",
"process.parent.executable": "13.04%",
"process.pe.original_file_name": "34.78%",
"process.working_directory": "4.35%",
"user.id": "13.04%",
"user.name": "4.35%",
"winlog.event_data.CallTrace": "17.39%",
"winlog.event_data.GrantedAccess": "13.04%",
"winlog.event_data.TargetImage": "17.39%"
},
"rule_count": 23
},
"registry": {
"fields": {
"event.type": "50.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1003.001": {
"any": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.AccessMask": "100.00%",
"winlog.event_data.AccessMaskDescription": "100.00%",
"winlog.event_data.ObjectName": "100.00%",
"winlog.event_data.ProcessName": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"endgame.event_subtype_full": "100.00%",
"endgame.metadata.type": "100.00%",
"event.action": "100.00%",
"event.kind": "100.00%",
"event.module": "100.00%"
},
"rule_count": 2
},
"library": {
"fields": {
"dll.code_signature.status": "100.00%",
"dll.code_signature.subject_name": "100.00%",
"dll.hash.sha256": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "40.00%",
"event.code": "70.00%",
"event.dataset": "10.00%",
"event.type": "10.00%",
"file.name": "10.00%",
"file.pe.imphash": "10.00%",
"file.pe.original_file_name": "10.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "20.00%",
"process.args": "10.00%",
"process.command_line": "10.00%",
"process.entity_id": "10.00%",
"process.executable": "30.00%",
"process.name": "50.00%",
"process.parent.executable": "20.00%",
"process.pe.original_file_name": "10.00%",
"user.id": "10.00%",
"winlog.event_data.CallTrace": "40.00%",
"winlog.event_data.GrantedAccess": "30.00%",
"winlog.event_data.TargetImage": "40.00%"
},
"rule_count": 10
},
"registry": {
"fields": {
"event.type": "50.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1003.002": {
"any,iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.PrivilegeList": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%"
},
"rule_count": 1
},
"authentication,file": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.id": "100.00%",
"user.name": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.size": "100.00%",
"host.os.type": "100.00%",
"process.pid": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "33.33%",
"event.type": "66.67%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "33.33%",
"process.args": "66.67%",
"process.pe.original_file_name": "66.67%",
"user.id": "33.33%"
},
"rule_count": 3
}
},
"T1003.003": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "50.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "50.00%",
"process.args": "50.00%",
"process.command_line": "50.00%",
"process.name": "50.00%",
"process.parent.executable": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
}
},
"T1003.004": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1003.006": {
"any": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.AccessMask": "100.00%",
"winlog.event_data.Properties": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.Properties": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%"
},
"rule_count": 1
}
},
"T1003.008": {
"process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.args_count": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"process.parent.executable": "50.00%",
"process.working_directory": "50.00%",
"user.name": "50.00%"
},
"rule_count": 2
}
},
"T1005": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1006": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1007": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1016": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"event.action": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1016.001": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"event.action": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1018": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "83.33%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "66.67%"
},
"rule_count": 6
}
},
"T1020": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
}
},
"T1021": {
"any,iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.PrivilegeList": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%"
},
"rule_count": 1
},
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"any,process,registry": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"authentication,file": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.id": "100.00%",
"user.name": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "50.00%",
"user.name": "50.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.ServiceFileName": "50.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "50.00%",
"winlog.event_data.TargetLogonId": "50.00%",
"winlog.logon.id": "50.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 2
},
"file": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"file.Ext.header_bytes": "25.00%",
"file.name": "50.00%",
"file.path": "50.00%",
"file.size": "25.00%",
"host.os.type": "75.00%",
"process.executable": "25.00%",
"process.name": "50.00%",
"process.pid": "50.00%",
"user.id": "25.00%"
},
"rule_count": 4
},
"file,network": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.entity_id": "100.00%",
"process.pid": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"network or network_traffic": {
"fields": {
"destination.ip": "50.00%",
"destination.port": "100.00%",
"event.action": "50.00%",
"event.category": "100.00%",
"event.dataset": "50.00%",
"network.direction": "50.00%",
"network.transport": "50.00%",
"source.ip": "50.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"destination.ip": "40.00%",
"destination.port": "70.00%",
"event.type": "100.00%",
"host.id": "60.00%",
"host.os.type": "100.00%",
"network.direction": "60.00%",
"network.protocol": "20.00%",
"network.transport": "40.00%",
"process.args": "40.00%",
"process.entity_id": "80.00%",
"process.executable": "20.00%",
"process.name": "90.00%",
"process.parent.entity_id": "30.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "10.00%",
"process.pid": "20.00%",
"source.ip": "60.00%",
"source.port": "40.00%"
},
"rule_count": 10
},
"network,process,registry": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
},
"network,registry": {
"fields": {
"destination.port": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "14.29%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "85.71%",
"process.command_line": "28.57%",
"process.executable": "14.29%",
"process.name": "85.71%",
"process.parent.executable": "28.57%",
"process.parent.name": "28.57%",
"process.pe.original_file_name": "28.57%",
"user.id": "14.29%"
},
"rule_count": 7
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.domain": "50.00%"
},
"rule_count": 2
}
},
"T1021.001": {
"network,process,registry": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
}
},
"T1021.002": {
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.size": "100.00%",
"host.os.type": "100.00%",
"process.pid": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"file,network": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.entity_id": "100.00%",
"process.pid": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"destination.port": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.command_line": "33.33%",
"process.name": "100.00%",
"process.parent.executable": "33.33%",
"process.parent.name": "33.33%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1021.003": {
"network,process": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.args": "33.33%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.entity_id": "66.67%",
"process.parent.name": "66.67%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 3
}
},
"T1021.004": {
"authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"file.path": "50.00%",
"host.os.type": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "100.00%"
},
"rule_count": 1
}
},
"T1021.006": {
"network,process": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pid": "50.00%",
"source.ip": "100.00%"
},
"rule_count": 2
}
},
"T1027": {
"file,process": {
"fields": {
"event.action": "100.00%",
"file.Ext.entropy": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "60.00%",
"event.type": "60.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "40.00%",
"process.name": "60.00%",
"process.parent.name": "40.00%",
"user.id": "40.00%"
},
"rule_count": 5
}
},
"T1027.004": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
}
},
"T1027.006": {
"file,process": {
"fields": {
"event.action": "100.00%",
"file.Ext.entropy": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1033": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.Ext.token.integrity_level_name": "50.00%",
"process.name": "100.00%",
"process.parent.args": "50.00%",
"process.parent.executable": "50.00%",
"process.parent.name": "100.00%",
"user.domain": "50.00%",
"user.id": "50.00%",
"winlog.event_data.IntegrityLevel": "50.00%"
},
"rule_count": 2
}
},
"T1036": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"process.parent.entity_id": "100.00%",
"process.parent.executable": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.agent_id_status": "100.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.protocol": "100.00%",
"process.args_count": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "9.09%",
"process.executable": "45.45%",
"process.name": "81.82%",
"process.parent.args": "9.09%",
"process.parent.executable": "18.18%",
"process.parent.name": "18.18%",
"process.pe.original_file_name": "36.36%"
},
"rule_count": 11
}
},
"T1036.003": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 3
}
},
"T1036.005": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "33.33%",
"process.executable": "66.67%",
"process.name": "66.67%",
"process.parent.executable": "33.33%"
},
"rule_count": 3
}
},
"T1036.006": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1036.007": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
}
},
"T1037": {
"file": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"user.name": "100.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"host.id": "33.33%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "33.33%",
"process.name": "66.67%",
"process.parent.pid": "33.33%",
"process.pid": "33.33%"
},
"rule_count": 3
}
},
"T1037.004": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
}
},
"T1040": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
}
},
"T1046": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1047": {
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"event.type": "50.00%",
"file.name": "100.00%",
"host.id": "50.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.domain": "50.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1048": {
"network or network_traffic": {
"fields": {
"destination.ip": "50.00%",
"destination.port": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"network.transport": "100.00%",
"source.ip": "50.00%"
},
"rule_count": 2
}
},
"T1053": {
"any,library,network,process": {
"fields": {
"destination.address": "100.00%",
"destination.port": "100.00%",
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"any,process,registry": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.category": "33.33%",
"event.type": "100.00%",
"file.extension": "16.67%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "33.33%",
"user.name": "16.67%"
},
"rule_count": 6
},
"generic": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%",
"winlog.event_data.AccessList": "100.00%",
"winlog.event_data.AttributeLDAPDisplayName": "100.00%",
"winlog.event_data.AttributeValue": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.ShareName": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "33.33%",
"winlog.event_data.TaskName": "100.00%"
},
"rule_count": 3
},
"network,registry": {
"fields": {
"destination.port": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.Ext.token.integrity_level_name": "33.33%",
"process.args": "100.00%",
"process.code_signature.trusted": "33.33%",
"process.entity_id": "33.33%",
"process.name": "100.00%",
"process.parent.args": "33.33%",
"process.parent.entity_id": "33.33%",
"process.parent.name": "66.67%",
"process.pe.original_file_name": "66.67%",
"process.working_directory": "33.33%",
"user.id": "33.33%",
"winlog.event_data.IntegrityLevel": "33.33%"
},
"rule_count": 3
}
},
"T1053.003": {
"file": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "75.00%",
"process.name": "25.00%",
"user.name": "25.00%"
},
"rule_count": 4
}
},
"T1053.005": {
"any,library,network,process": {
"fields": {
"destination.address": "100.00%",
"destination.port": "100.00%",
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"any,process,registry": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "50.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "50.00%"
},
"rule_count": 2
},
"generic": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%",
"winlog.event_data.AccessList": "100.00%",
"winlog.event_data.AttributeLDAPDisplayName": "100.00%",
"winlog.event_data.AttributeValue": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.ShareName": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "33.33%",
"winlog.event_data.TaskName": "100.00%"
},
"rule_count": 3
},
"network,registry": {
"fields": {
"destination.port": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.Ext.token.integrity_level_name": "33.33%",
"process.args": "100.00%",
"process.code_signature.trusted": "33.33%",
"process.entity_id": "33.33%",
"process.name": "100.00%",
"process.parent.args": "33.33%",
"process.parent.entity_id": "33.33%",
"process.parent.name": "66.67%",
"process.pe.original_file_name": "66.67%",
"process.working_directory": "33.33%",
"user.id": "33.33%",
"winlog.event_data.IntegrityLevel": "33.33%"
},
"rule_count": 3
}
},
"T1055": {
"file,process": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"endgame.event_subtype_full": "50.00%",
"endgame.metadata.type": "50.00%",
"event.action": "100.00%",
"event.kind": "50.00%",
"event.module": "50.00%",
"host.os.type": "50.00%",
"process.name": "50.00%"
},
"rule_count": 4
},
"process": {
"fields": {
"event.category": "22.22%",
"event.code": "22.22%",
"event.type": "55.56%",
"host.id": "11.11%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "22.22%",
"process.args": "33.33%",
"process.entity_id": "11.11%",
"process.executable": "55.56%",
"process.name": "44.44%",
"process.parent.args": "33.33%",
"process.parent.entity_id": "11.11%",
"process.parent.name": "55.56%",
"process.parent.pid": "11.11%",
"user.id": "22.22%",
"winlog.event_data.CallTrace": "22.22%",
"winlog.event_data.TargetImage": "11.11%",
"winlog.event_data.TargetProcessGUID": "11.11%"
},
"rule_count": 9
}
},
"T1055.001": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1055.002": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1055.012": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.args": "50.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
}
},
"T1056": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "50.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "50.00%",
"process.command_line": "50.00%",
"process.name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
}
},
"T1056.001": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1056.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1057": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1059": {
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"file,network": {
"fields": {
"dns.question.name": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"azure.activitylogs.operation_name": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "33.33%",
"destination.port": "16.67%",
"event.action": "33.33%",
"event.type": "100.00%",
"host.id": "66.67%",
"host.os.type": "83.33%",
"process.args": "16.67%",
"process.entity_id": "50.00%",
"process.name": "100.00%",
"process.parent.name": "33.33%",
"process.parent.pid": "16.67%",
"process.pid": "16.67%",
"user.id": "16.67%"
},
"rule_count": 6
},
"process": {
"fields": {
"event.action": "2.17%",
"event.category": "47.83%",
"event.type": "63.04%",
"host.id": "6.52%",
"host.os.type": "91.30%",
"powershell.file.script_block_text": "36.96%",
"process.args": "36.96%",
"process.args_count": "2.17%",
"process.command_line": "8.70%",
"process.executable": "15.22%",
"process.name": "54.35%",
"process.parent.args": "8.70%",
"process.parent.command_line": "6.52%",
"process.parent.executable": "6.52%",
"process.parent.name": "28.26%",
"process.parent.pid": "4.35%",
"process.pe.original_file_name": "4.35%",
"process.pid": "4.35%",
"process.working_directory": "2.17%",
"user.id": "32.61%",
"user.name": "2.17%"
},
"rule_count": 46
}
},
"T1059.001": {
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"file,network": {
"fields": {
"dns.question.name": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "85.00%",
"event.type": "15.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "85.00%",
"process.args": "5.00%",
"process.executable": "5.00%",
"process.name": "15.00%",
"process.parent.args": "5.00%",
"process.parent.command_line": "5.00%",
"process.parent.name": "10.00%",
"process.pe.original_file_name": "5.00%",
"process.working_directory": "5.00%",
"user.id": "70.00%"
},
"rule_count": 20
}
},
"T1059.002": {
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1059.003": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "80.00%",
"process.args": "60.00%",
"process.name": "100.00%",
"process.parent.args": "20.00%",
"process.parent.command_line": "20.00%",
"process.parent.executable": "20.00%",
"process.parent.name": "40.00%"
},
"rule_count": 5
}
},
"T1059.004": {
"network,process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.id": "25.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "25.00%",
"process.command_line": "25.00%",
"process.executable": "75.00%",
"process.name": "75.00%",
"process.parent.args": "25.00%",
"process.parent.command_line": "25.00%",
"process.parent.executable": "50.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "25.00%"
},
"rule_count": 4
}
},
"T1059.006": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 2
}
},
"T1059.007": {
"network,process": {
"fields": {
"destination.port": "50.00%",
"event.action": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "50.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.parent.pid": "50.00%",
"process.pid": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1068": {
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.DnsHostName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.event_data.TargetUserName": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "75.00%",
"file.extension": "50.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "25.00%",
"process.name": "75.00%",
"user.id": "25.00%"
},
"rule_count": 4
},
"generic": {
"fields": {
"endgame.event_subtype_full": "66.67%",
"endgame.metadata.type": "66.67%",
"event.action": "100.00%",
"event.code": "33.33%",
"event.kind": "66.67%",
"event.module": "66.67%",
"host.os.type": "33.33%",
"winlog.event_data.AttributeLDAPDisplayName": "33.33%",
"winlog.event_data.OperationType": "33.33%",
"winlog.event_data.SubjectUserSid": "33.33%"
},
"rule_count": 3
},
"library,network,process": {
"fields": {
"destination.port": "100.00%",
"dll.name": "100.00%",
"dns.question.name": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.protocol": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.entity_id": "100.00%",
"process.parent.name": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "20.00%",
"event.category": "40.00%",
"event.type": "100.00%",
"host.os.type": "80.00%",
"process.Ext.token.integrity_level_name": "40.00%",
"process.args": "40.00%",
"process.command_line": "20.00%",
"process.executable": "40.00%",
"process.name": "60.00%",
"process.parent.executable": "20.00%",
"process.parent.name": "60.00%",
"process.pe.original_file_name": "20.00%",
"process.working_directory": "20.00%",
"user.name": "40.00%",
"winlog.event_data.IntegrityLevel": "40.00%"
},
"rule_count": 5
},
"registry": {
"fields": {
"host.id": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1069": {
"iam": {
"fields": {
"event.action": "100.00%",
"group.name": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.CallerProcessName": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetSid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "25.00%",
"event.type": "75.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "25.00%",
"process.args": "75.00%",
"process.name": "75.00%",
"process.parent.executable": "25.00%",
"process.parent.name": "25.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "25.00%"
},
"rule_count": 4
}
},
"T1069.001": {
"iam": {
"fields": {
"event.action": "100.00%",
"group.name": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.CallerProcessName": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetSid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "33.33%",
"event.type": "66.67%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "33.33%",
"process.args": "66.67%",
"process.name": "66.67%",
"process.parent.executable": "33.33%",
"process.parent.name": "33.33%",
"process.pe.original_file_name": "33.33%",
"user.id": "33.33%"
},
"rule_count": 3
}
},
"T1069.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 2
}
},
"T1070": {
"file": {
"fields": {
"event.action": "25.00%",
"event.code": "25.00%",
"event.type": "75.00%",
"file.extension": "25.00%",
"file.name": "25.00%",
"file.path": "50.00%",
"host.os.type": "75.00%",
"process.executable": "25.00%",
"process.name": "25.00%",
"user.name": "25.00%"
},
"rule_count": 4
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "50.00%",
"event.outcome": "50.00%",
"event.provider": "50.00%",
"host.os.type": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "14.29%",
"event.type": "100.00%",
"host.os.type": "71.43%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "57.14%",
"user.id": "14.29%"
},
"rule_count": 7
}
},
"T1070.001": {
"generic": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 2
}
},
"T1070.002": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1070.003": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "50.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1070.004": {
"file": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1070.006": {
"file": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1071": {
"library,network,process": {
"fields": {
"dll.name": "100.00%",
"dns.question.name": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%",
"process.parent.args": "100.00%",
"process.parent.name": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"network": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"http.request.body.content": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"network or network_traffic": {
"fields": {
"event.category": "100.00%",
"tls.server.hash.md5": "100.00%",
"tls.server.hash.sha1": "100.00%",
"tls.server.hash.sha256": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "50.00%",
"event.action": "50.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.args_count": "50.00%",
"process.entity_id": "50.00%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1071.001": {
"network": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"http.request.body.content": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"network or network_traffic": {
"fields": {
"event.category": "100.00%",
"tls.server.hash.md5": "100.00%",
"tls.server.hash.sha1": "100.00%",
"tls.server.hash.sha256": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "50.00%",
"event.action": "50.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.args_count": "50.00%",
"process.entity_id": "50.00%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
}
},
"T1071.004": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1074": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.application.name": "100.00%"
},
"rule_count": 1
}
},
"T1074.002": {
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.application.name": "100.00%"
},
"rule_count": 1
}
},
"T1078": {
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.DnsHostName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.event_data.TargetUserName": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"aws.cloudtrail.console_login.additional_eventdata.mfa_used": "3.45%",
"aws.cloudtrail.user_identity.type": "10.34%",
"azure.activitylogs.operation_name": "6.90%",
"azure.auditlogs.operation_name": "13.79%",
"azure.auditlogs.properties.target_resources.*.display_name": "6.90%",
"azure.signinlogs.properties.app_display_name": "3.45%",
"azure.signinlogs.properties.risk_level_aggregated": "3.45%",
"azure.signinlogs.properties.risk_level_during_signin": "3.45%",
"azure.signinlogs.properties.risk_state": "3.45%",
"azure.signinlogs.properties.token_issuer_type": "3.45%",
"event.action": "55.17%",
"event.code": "3.45%",
"event.dataset": "100.00%",
"event.outcome": "58.62%",
"event.provider": "20.69%",
"event.type": "6.90%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "6.90%",
"kubernetes.audit.objectRef.namespace": "3.45%",
"kubernetes.audit.objectRef.resource": "6.90%",
"kubernetes.audit.requestObject.spec.serviceAccountName": "3.45%",
"kubernetes.audit.user.username": "3.45%",
"kubernetes.audit.verb": "3.45%"
},
"rule_count": 29
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "50.00%",
"event.dataset": "50.00%",
"host.os.type": "50.00%",
"winlog.event_data.NewTargetUserName": "50.00%",
"winlog.event_data.OldTargetUserName": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "66.67%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "66.67%",
"process.command_line": "16.67%",
"process.name": "100.00%",
"process.parent.name": "33.33%",
"process.pe.original_file_name": "16.67%"
},
"rule_count": 6
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
}
},
"T1078.001": {
"generic": {
"fields": {
"event.dataset": "100.00%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "100.00%",
"kubernetes.audit.objectRef.namespace": "50.00%",
"kubernetes.audit.objectRef.resource": "100.00%",
"kubernetes.audit.requestObject.spec.serviceAccountName": "50.00%",
"kubernetes.audit.user.username": "50.00%",
"kubernetes.audit.verb": "50.00%"
},
"rule_count": 2
}
},
"T1078.002": {
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.DnsHostName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.event_data.TargetUserName": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.NewTargetUserName": "100.00%",
"winlog.event_data.OldTargetUserName": "100.00%"
},
"rule_count": 1
}
},
"T1078.003": {
"process": {
"fields": {
"event.category": "75.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "25.00%",
"process.pe.original_file_name": "25.00%"
},
"rule_count": 4
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1078.004": {
"generic": {
"fields": {
"azure.signinlogs.properties.app_display_name": "100.00%",
"azure.signinlogs.properties.token_issuer_type": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%"
},
"rule_count": 1
}
},
"T1080": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"event.dataset": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
}
},
"T1082": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "83.33%",
"process.args": "83.33%",
"process.name": "66.67%",
"process.parent.executable": "16.67%",
"process.pe.original_file_name": "16.67%",
"user.id": "16.67%",
"user.name": "16.67%"
},
"rule_count": 6
}
},
"T1083": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1087": {
"process": {
"fields": {
"event.category": "16.67%",
"event.type": "83.33%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "16.67%",
"process.args": "66.67%",
"process.name": "83.33%",
"process.parent.executable": "16.67%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "16.67%"
},
"rule_count": 6
}
},
"T1087.001": {
"process": {
"fields": {
"event.category": "25.00%",
"event.type": "75.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "25.00%",
"process.args": "75.00%",
"process.name": "75.00%",
"process.parent.executable": "25.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "25.00%"
},
"rule_count": 4
}
},
"T1087.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "66.67%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 3
}
},
"T1095": {
"network,process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1098": {
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.event_data.TargetSid": "100.00%",
"winlog.event_data.TargetUserName": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"azure.auditlogs.operation_name": "25.00%",
"azure.auditlogs.properties.category": "10.00%",
"azure.auditlogs.properties.target_resources.*.display_name": "5.00%",
"azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value": "5.00%",
"event.action": "75.00%",
"event.code": "15.00%",
"event.dataset": "90.00%",
"event.outcome": "60.00%",
"event.provider": "25.00%",
"host.os.type": "10.00%",
"message": "5.00%",
"o365.audit.ModifiedProperties.Role_DisplayName.NewValue": "5.00%",
"o365.audit.Parameters.AccessRights": "5.00%",
"user.id": "10.00%",
"winlog.event_data.AllowedToDelegateTo": "5.00%"
},
"rule_count": 20
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "75.00%",
"event.dataset": "75.00%",
"event.provider": "50.00%",
"event.type": "12.50%",
"google_workspace.admin.role.name": "12.50%",
"google_workspace.admin.setting.name": "12.50%",
"google_workspace.event.type": "25.00%",
"group.name": "12.50%",
"host.os.type": "25.00%",
"winlog.event_data.NewTargetUserName": "12.50%",
"winlog.event_data.OldTargetUserName": "12.50%"
},
"rule_count": 8
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.AllowFederatedUsers": "33.33%",
"o365.audit.Parameters.AllowGuestUser": "33.33%"
},
"rule_count": 3
}
},
"T1098.002": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.AccessRights": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1098.003": {
"generic": {
"fields": {
"azure.auditlogs.operation_name": "50.00%",
"azure.auditlogs.properties.category": "50.00%",
"azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value": "50.00%",
"event.action": "50.00%",
"event.code": "50.00%",
"event.dataset": "100.00%",
"o365.audit.ModifiedProperties.Role_DisplayName.NewValue": "50.00%"
},
"rule_count": 2
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.type": "50.00%",
"google_workspace.admin.role.name": "50.00%",
"google_workspace.event.type": "100.00%"
},
"rule_count": 2
}
},
"T1098.004": {
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
}
},
"T1102": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1105": {
"file": {
"fields": {
"event.action": "50.00%",
"event.type": "50.00%",
"file.Ext.header_bytes": "50.00%",
"file.Ext.original.name": "50.00%",
"file.extension": "100.00%",
"file.name": "50.00%",
"file.path": "50.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 2
},
"file,network": {
"fields": {
"destination.ip": "50.00%",
"dns.question.name": "50.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "50.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "50.00%",
"network.protocol": "100.00%",
"network.type": "50.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"user.domain": "50.00%"
},
"rule_count": 2
},
"network or network_traffic": {
"fields": {
"destination.ip": "100.00%",
"event.category": "100.00%",
"network.protocol": "100.00%",
"source.ip": "100.00%",
"url.extension": "100.00%",
"url.path": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.id": "33.33%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 3
}
},
"T1106": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "80.00%",
"event.type": "20.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "80.00%",
"process.executable": "20.00%",
"process.name": "20.00%",
"process.parent.name": "20.00%",
"user.id": "80.00%"
},
"rule_count": 5
}
},
"T1110": {
"any": {
"fields": {
"event.action": "100.00%",
"event.module": "100.00%",
"user.email": "100.00%"
},
"rule_count": 1
},
"authentication": {
"fields": {
"event.action": "80.00%",
"event.category": "40.00%",
"event.dataset": "40.00%",
"event.outcome": "40.00%",
"event.provider": "30.00%",
"host.id": "30.00%",
"host.os.type": "60.00%",
"o365.audit.LogonError": "20.00%",
"source.ip": "60.00%",
"user.domain": "20.00%",
"user.name": "60.00%",
"winlog.computer_name": "30.00%",
"winlog.event_data.Status": "30.00%",
"winlog.logon.type": "30.00%"
},
"rule_count": 10
},
"generic": {
"fields": {
"aws.cloudtrail.error_code": "33.33%",
"aws.cloudtrail.user_identity.type": "33.33%",
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "66.67%",
"event.provider": "66.67%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1110.001": {
"authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "50.00%",
"host.id": "50.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "33.33%",
"user.name": "100.00%",
"winlog.computer_name": "50.00%",
"winlog.event_data.Status": "50.00%",
"winlog.logon.type": "50.00%"
},
"rule_count": 6
}
},
"T1110.003": {
"authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "50.00%",
"host.id": "50.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "33.33%",
"user.name": "100.00%",
"winlog.computer_name": "50.00%",
"winlog.event_data.Status": "50.00%",
"winlog.logon.type": "50.00%"
},
"rule_count": 6
}
},
"T1111": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%"
},
"rule_count": 1
}
},
"T1112": {
"registry": {
"fields": {
"event.type": "16.67%",
"host.os.type": "100.00%",
"process.executable": "33.33%",
"process.name": "33.33%",
"registry.data.strings": "83.33%",
"registry.path": "83.33%",
"user.id": "16.67%"
},
"rule_count": 6
}
},
"T1113": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1114": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.setting.name": "100.00%",
"google_workspace.event.type": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "25.00%",
"event.category": "50.00%",
"event.type": "25.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "50.00%",
"process.Ext.effective_parent.executable": "25.00%",
"process.Ext.effective_parent.name": "25.00%",
"process.command_line": "25.00%",
"process.name": "50.00%"
},
"rule_count": 4
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.ForwardAsAttachmentTo": "100.00%",
"o365.audit.Parameters.ForwardTo": "100.00%",
"o365.audit.Parameters.RedirectTo": "100.00%"
},
"rule_count": 1
}
},
"T1114.001": {
"process": {
"fields": {
"event.action": "33.33%",
"event.category": "66.67%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "66.67%",
"process.Ext.effective_parent.executable": "33.33%",
"process.Ext.effective_parent.name": "33.33%",
"process.name": "33.33%"
},
"rule_count": 3
}
},
"T1114.002": {
"process": {
"fields": {
"event.category": "66.67%",
"event.type": "33.33%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "66.67%",
"process.command_line": "33.33%",
"process.name": "33.33%"
},
"rule_count": 3
}
},
"T1114.003": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.setting.name": "100.00%",
"google_workspace.event.type": "100.00%"
},
"rule_count": 1
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.ForwardAsAttachmentTo": "100.00%",
"o365.audit.Parameters.ForwardTo": "100.00%",
"o365.audit.Parameters.RedirectTo": "100.00%"
},
"rule_count": 1
}
},
"T1115": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1120": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1123": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1124": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1127": {
"network,process": {
"fields": {
"destination.ip": "50.00%",
"dns.question.name": "25.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"source.ip": "25.00%"
},
"rule_count": 4
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
}
},
"T1127.001": {
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"source.ip": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
}
},
"T1129": {
"file": {
"fields": {
"file.extension": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
}
},
"T1133": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "66.67%",
"event.dataset": "100.00%",
"event.outcome": "66.67%",
"event.provider": "66.67%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "33.33%",
"kubernetes.audit.objectRef.resource": "33.33%",
"kubernetes.audit.requestObject.spec.type": "33.33%",
"kubernetes.audit.verb": "33.33%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1134": {
"any": {
"fields": {
"event.action": "100.00%",
"event.provider": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.EnabledPrivilegeList": "100.00%",
"winlog.event_data.ProcessName": "100.00%",
"winlog.event_data.SubjectUserSid": "100.00%"
},
"rule_count": 1
},
"authentication,process": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"event.type": "100.00%",