Skip to content

Instantly share code, notes, and snippets.

@brokensound77

brokensound77/README.md

Created March 11, 2023 05:56
Show Gist options
  • Save brokensound77/420bc801592715c00af2dd0775f59901 to your computer and use it in GitHub Desktop.
Save brokensound77/420bc801592715c00af2dd0775f59901 to your computer and use it in GitHub Desktop.
Download ZIP
Event category and field distribution over ATT&CK techniques
Raw
README.md

Event category and field distribution over ATT&CK techniques

Analysis of Elastic detection-rules, showing event types and field distribution per technique. The full results are represented in the file below (fields_by_technique.json)

The structure is:

"library": {                                       # event.category (generic if event.category not defined)
      "fields": {                                  # field distribution for that event.category within that technique
        "dll.code_signature.status": "100.00%",    # field with percentage
        "dll.code_signature.trusted": "100.00%",   # field with percentage
        "host.os.type": "100.00%",                 # field with percentage
        "process.pid": "100.00%"                   # field with percentage
      },
      "rule_count": 1                              # number of rules within this technique + event.category

Ex:

"T1553": {
    "generic": {
      "fields": {
        "event.provider": "100.00%",
        "host.os.type": "100.00%",
        "message": "100.00%"
      },
      "rule_count": 1
    },
    "library": {
      "fields": {
        "dll.code_signature.status": "100.00%",
        "dll.code_signature.trusted": "100.00%",
        "host.os.type": "100.00%",
        "process.pid": "100.00%"
      },
      "rule_count": 1
    },
    "process": {
      "fields": {
        "event.category": "66.67%",
        "event.type": "100.00%",
        "host.os.type": "100.00%",
        "process.args": "100.00%",
        "process.executable": "33.33%",
        "process.name": "66.67%",
        "process.parent.executable": "33.33%",
        "process.pe.original_file_name": "33.33%"
      },
      "rule_count": 3
    },
    "registry": {
      "fields": {
        "event.type": "100.00%",
        "host.os.type": "100.00%",
        "process.executable": "33.33%",
        "registry.data.strings": "66.67%",
        "registry.path": "100.00%",
        "registry.value": "33.33%"
      },
      "rule_count": 3
    }
  }

For technique T1553, the following event types were present on the specified number of rules:

  • 1 generic
  • 1 library
  • 3 process
  • 3 registry

And the respective fields per event.category were present relative to those counts as defined

Raw
fields_by_technique.json
{
"T1003": {
"any": {
"fields": {
"event.action": "75.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "25.00%",
"winlog.event_data.AccessMask": "75.00%",
"winlog.event_data.AccessMaskDescription": "25.00%",
"winlog.event_data.ObjectName": "25.00%",
"winlog.event_data.ProcessName": "25.00%",
"winlog.event_data.Properties": "50.00%",
"winlog.event_data.Resource": "25.00%",
"winlog.event_data.SchemaFriendlyName": "25.00%",
"winlog.event_data.SubjectLogonId": "25.00%",
"winlog.event_data.SubjectUserName": "25.00%",
"winlog.event_data.SubjectUserSid": "25.00%",
"winlog.process.pid": "25.00%"
},
"rule_count": 4
},
"any,iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.PrivilegeList": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%"
},
"rule_count": 1
},
"any,library,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
},
"authentication,file": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.id": "100.00%",
"user.name": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "33.33%",
"file.Ext.header_bytes": "33.33%",
"file.name": "66.67%",
"file.path": "33.33%",
"file.size": "33.33%",
"host.os.type": "100.00%",
"process.executable": "33.33%",
"process.name": "33.33%",
"process.pid": "33.33%",
"user.id": "33.33%"
},
"rule_count": 3
},
"generic": {
"fields": {
"endgame.event_subtype_full": "66.67%",
"endgame.metadata.type": "66.67%",
"event.action": "100.00%",
"event.code": "33.33%",
"event.kind": "66.67%",
"event.module": "66.67%",
"host.os.type": "33.33%",
"winlog.event_data.Properties": "33.33%",
"winlog.event_data.SubjectUserName": "33.33%"
},
"rule_count": 3
},
"library": {
"fields": {
"dll.code_signature.status": "100.00%",
"dll.code_signature.subject_name": "100.00%",
"dll.hash.sha256": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "8.70%",
"event.category": "34.78%",
"event.code": "30.43%",
"event.dataset": "4.35%",
"event.type": "52.17%",
"file.name": "4.35%",
"file.pe.imphash": "4.35%",
"file.pe.original_file_name": "4.35%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "17.39%",
"process.args": "47.83%",
"process.args_count": "4.35%",
"process.command_line": "8.70%",
"process.entity_id": "4.35%",
"process.executable": "17.39%",
"process.name": "52.17%",
"process.parent.executable": "13.04%",
"process.pe.original_file_name": "34.78%",
"process.working_directory": "4.35%",
"user.id": "13.04%",
"user.name": "4.35%",
"winlog.event_data.CallTrace": "17.39%",
"winlog.event_data.GrantedAccess": "13.04%",
"winlog.event_data.TargetImage": "17.39%"
},
"rule_count": 23
},
"registry": {
"fields": {
"event.type": "50.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1003.001": {
"any": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.AccessMask": "100.00%",
"winlog.event_data.AccessMaskDescription": "100.00%",
"winlog.event_data.ObjectName": "100.00%",
"winlog.event_data.ProcessName": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"endgame.event_subtype_full": "100.00%",
"endgame.metadata.type": "100.00%",
"event.action": "100.00%",
"event.kind": "100.00%",
"event.module": "100.00%"
},
"rule_count": 2
},
"library": {
"fields": {
"dll.code_signature.status": "100.00%",
"dll.code_signature.subject_name": "100.00%",
"dll.hash.sha256": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "40.00%",
"event.code": "70.00%",
"event.dataset": "10.00%",
"event.type": "10.00%",
"file.name": "10.00%",
"file.pe.imphash": "10.00%",
"file.pe.original_file_name": "10.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "20.00%",
"process.args": "10.00%",
"process.command_line": "10.00%",
"process.entity_id": "10.00%",
"process.executable": "30.00%",
"process.name": "50.00%",
"process.parent.executable": "20.00%",
"process.pe.original_file_name": "10.00%",
"user.id": "10.00%",
"winlog.event_data.CallTrace": "40.00%",
"winlog.event_data.GrantedAccess": "30.00%",
"winlog.event_data.TargetImage": "40.00%"
},
"rule_count": 10
},
"registry": {
"fields": {
"event.type": "50.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1003.002": {
"any,iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.PrivilegeList": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%"
},
"rule_count": 1
},
"authentication,file": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.id": "100.00%",
"user.name": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.size": "100.00%",
"host.os.type": "100.00%",
"process.pid": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "33.33%",
"event.type": "66.67%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "33.33%",
"process.args": "66.67%",
"process.pe.original_file_name": "66.67%",
"user.id": "33.33%"
},
"rule_count": 3
}
},
"T1003.003": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "50.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "50.00%",
"process.args": "50.00%",
"process.command_line": "50.00%",
"process.name": "50.00%",
"process.parent.executable": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
}
},
"T1003.004": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1003.006": {
"any": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.AccessMask": "100.00%",
"winlog.event_data.Properties": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.Properties": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%"
},
"rule_count": 1
}
},
"T1003.008": {
"process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.args_count": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"process.parent.executable": "50.00%",
"process.working_directory": "50.00%",
"user.name": "50.00%"
},
"rule_count": 2
}
},
"T1005": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1006": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1007": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1016": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"event.action": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1016.001": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"event.action": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1018": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "83.33%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "66.67%"
},
"rule_count": 6
}
},
"T1020": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
}
},
"T1021": {
"any,iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.PrivilegeList": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%"
},
"rule_count": 1
},
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"any,process,registry": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"authentication,file": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.id": "100.00%",
"user.name": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "50.00%",
"user.name": "50.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.ServiceFileName": "50.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "50.00%",
"winlog.event_data.TargetLogonId": "50.00%",
"winlog.logon.id": "50.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 2
},
"file": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"file.Ext.header_bytes": "25.00%",
"file.name": "50.00%",
"file.path": "50.00%",
"file.size": "25.00%",
"host.os.type": "75.00%",
"process.executable": "25.00%",
"process.name": "50.00%",
"process.pid": "50.00%",
"user.id": "25.00%"
},
"rule_count": 4
},
"file,network": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.entity_id": "100.00%",
"process.pid": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"network or network_traffic": {
"fields": {
"destination.ip": "50.00%",
"destination.port": "100.00%",
"event.action": "50.00%",
"event.category": "100.00%",
"event.dataset": "50.00%",
"network.direction": "50.00%",
"network.transport": "50.00%",
"source.ip": "50.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"destination.ip": "40.00%",
"destination.port": "70.00%",
"event.type": "100.00%",
"host.id": "60.00%",
"host.os.type": "100.00%",
"network.direction": "60.00%",
"network.protocol": "20.00%",
"network.transport": "40.00%",
"process.args": "40.00%",
"process.entity_id": "80.00%",
"process.executable": "20.00%",
"process.name": "90.00%",
"process.parent.entity_id": "30.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "10.00%",
"process.pid": "20.00%",
"source.ip": "60.00%",
"source.port": "40.00%"
},
"rule_count": 10
},
"network,process,registry": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
},
"network,registry": {
"fields": {
"destination.port": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "14.29%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "85.71%",
"process.command_line": "28.57%",
"process.executable": "14.29%",
"process.name": "85.71%",
"process.parent.executable": "28.57%",
"process.parent.name": "28.57%",
"process.pe.original_file_name": "28.57%",
"user.id": "14.29%"
},
"rule_count": 7
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.domain": "50.00%"
},
"rule_count": 2
}
},
"T1021.001": {
"network,process,registry": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
}
},
"T1021.002": {
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.size": "100.00%",
"host.os.type": "100.00%",
"process.pid": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"file,network": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.entity_id": "100.00%",
"process.pid": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"destination.port": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.command_line": "33.33%",
"process.name": "100.00%",
"process.parent.executable": "33.33%",
"process.parent.name": "33.33%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1021.003": {
"network,process": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.args": "33.33%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.entity_id": "66.67%",
"process.parent.name": "66.67%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 3
}
},
"T1021.004": {
"authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"file.path": "50.00%",
"host.os.type": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "100.00%"
},
"rule_count": 1
}
},
"T1021.006": {
"network,process": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pid": "50.00%",
"source.ip": "100.00%"
},
"rule_count": 2
}
},
"T1027": {
"file,process": {
"fields": {
"event.action": "100.00%",
"file.Ext.entropy": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "60.00%",
"event.type": "60.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "40.00%",
"process.name": "60.00%",
"process.parent.name": "40.00%",
"user.id": "40.00%"
},
"rule_count": 5
}
},
"T1027.004": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
}
},
"T1027.006": {
"file,process": {
"fields": {
"event.action": "100.00%",
"file.Ext.entropy": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"file.size": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1033": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.Ext.token.integrity_level_name": "50.00%",
"process.name": "100.00%",
"process.parent.args": "50.00%",
"process.parent.executable": "50.00%",
"process.parent.name": "100.00%",
"user.domain": "50.00%",
"user.id": "50.00%",
"winlog.event_data.IntegrityLevel": "50.00%"
},
"rule_count": 2
}
},
"T1036": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"process.parent.entity_id": "100.00%",
"process.parent.executable": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.agent_id_status": "100.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.protocol": "100.00%",
"process.args_count": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "9.09%",
"process.executable": "45.45%",
"process.name": "81.82%",
"process.parent.args": "9.09%",
"process.parent.executable": "18.18%",
"process.parent.name": "18.18%",
"process.pe.original_file_name": "36.36%"
},
"rule_count": 11
}
},
"T1036.003": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 3
}
},
"T1036.005": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "33.33%",
"process.executable": "66.67%",
"process.name": "66.67%",
"process.parent.executable": "33.33%"
},
"rule_count": 3
}
},
"T1036.006": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1036.007": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
}
},
"T1037": {
"file": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"user.name": "100.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"host.id": "33.33%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "33.33%",
"process.name": "66.67%",
"process.parent.pid": "33.33%",
"process.pid": "33.33%"
},
"rule_count": 3
}
},
"T1037.004": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
}
},
"T1040": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
}
},
"T1046": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1047": {
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"event.type": "50.00%",
"file.name": "100.00%",
"host.id": "50.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.domain": "50.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1048": {
"network or network_traffic": {
"fields": {
"destination.ip": "50.00%",
"destination.port": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"network.transport": "100.00%",
"source.ip": "50.00%"
},
"rule_count": 2
}
},
"T1053": {
"any,library,network,process": {
"fields": {
"destination.address": "100.00%",
"destination.port": "100.00%",
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"any,process,registry": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.category": "33.33%",
"event.type": "100.00%",
"file.extension": "16.67%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "33.33%",
"user.name": "16.67%"
},
"rule_count": 6
},
"generic": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%",
"winlog.event_data.AccessList": "100.00%",
"winlog.event_data.AttributeLDAPDisplayName": "100.00%",
"winlog.event_data.AttributeValue": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.ShareName": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "33.33%",
"winlog.event_data.TaskName": "100.00%"
},
"rule_count": 3
},
"network,registry": {
"fields": {
"destination.port": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.Ext.token.integrity_level_name": "33.33%",
"process.args": "100.00%",
"process.code_signature.trusted": "33.33%",
"process.entity_id": "33.33%",
"process.name": "100.00%",
"process.parent.args": "33.33%",
"process.parent.entity_id": "33.33%",
"process.parent.name": "66.67%",
"process.pe.original_file_name": "66.67%",
"process.working_directory": "33.33%",
"user.id": "33.33%",
"winlog.event_data.IntegrityLevel": "33.33%"
},
"rule_count": 3
}
},
"T1053.003": {
"file": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "75.00%",
"process.name": "25.00%",
"user.name": "25.00%"
},
"rule_count": 4
}
},
"T1053.005": {
"any,library,network,process": {
"fields": {
"destination.address": "100.00%",
"destination.port": "100.00%",
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"any,process,registry": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "50.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "50.00%"
},
"rule_count": 2
},
"generic": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%",
"winlog.event_data.AccessList": "100.00%",
"winlog.event_data.AttributeLDAPDisplayName": "100.00%",
"winlog.event_data.AttributeValue": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.ShareName": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "33.33%",
"winlog.event_data.TaskName": "100.00%"
},
"rule_count": 3
},
"network,registry": {
"fields": {
"destination.port": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"registry.path": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.Ext.token.integrity_level_name": "33.33%",
"process.args": "100.00%",
"process.code_signature.trusted": "33.33%",
"process.entity_id": "33.33%",
"process.name": "100.00%",
"process.parent.args": "33.33%",
"process.parent.entity_id": "33.33%",
"process.parent.name": "66.67%",
"process.pe.original_file_name": "66.67%",
"process.working_directory": "33.33%",
"user.id": "33.33%",
"winlog.event_data.IntegrityLevel": "33.33%"
},
"rule_count": 3
}
},
"T1055": {
"file,process": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"endgame.event_subtype_full": "50.00%",
"endgame.metadata.type": "50.00%",
"event.action": "100.00%",
"event.kind": "50.00%",
"event.module": "50.00%",
"host.os.type": "50.00%",
"process.name": "50.00%"
},
"rule_count": 4
},
"process": {
"fields": {
"event.category": "22.22%",
"event.code": "22.22%",
"event.type": "55.56%",
"host.id": "11.11%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "22.22%",
"process.args": "33.33%",
"process.entity_id": "11.11%",
"process.executable": "55.56%",
"process.name": "44.44%",
"process.parent.args": "33.33%",
"process.parent.entity_id": "11.11%",
"process.parent.name": "55.56%",
"process.parent.pid": "11.11%",
"user.id": "22.22%",
"winlog.event_data.CallTrace": "22.22%",
"winlog.event_data.TargetImage": "11.11%",
"winlog.event_data.TargetProcessGUID": "11.11%"
},
"rule_count": 9
}
},
"T1055.001": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1055.002": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1055.012": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.args": "50.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
}
},
"T1056": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "50.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "50.00%",
"process.command_line": "50.00%",
"process.name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
}
},
"T1056.001": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1056.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1057": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1059": {
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"file,network": {
"fields": {
"dns.question.name": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"azure.activitylogs.operation_name": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "33.33%",
"destination.port": "16.67%",
"event.action": "33.33%",
"event.type": "100.00%",
"host.id": "66.67%",
"host.os.type": "83.33%",
"process.args": "16.67%",
"process.entity_id": "50.00%",
"process.name": "100.00%",
"process.parent.name": "33.33%",
"process.parent.pid": "16.67%",
"process.pid": "16.67%",
"user.id": "16.67%"
},
"rule_count": 6
},
"process": {
"fields": {
"event.action": "2.17%",
"event.category": "47.83%",
"event.type": "63.04%",
"host.id": "6.52%",
"host.os.type": "91.30%",
"powershell.file.script_block_text": "36.96%",
"process.args": "36.96%",
"process.args_count": "2.17%",
"process.command_line": "8.70%",
"process.executable": "15.22%",
"process.name": "54.35%",
"process.parent.args": "8.70%",
"process.parent.command_line": "6.52%",
"process.parent.executable": "6.52%",
"process.parent.name": "28.26%",
"process.parent.pid": "4.35%",
"process.pe.original_file_name": "4.35%",
"process.pid": "4.35%",
"process.working_directory": "2.17%",
"user.id": "32.61%",
"user.name": "2.17%"
},
"rule_count": 46
}
},
"T1059.001": {
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"file,network": {
"fields": {
"dns.question.name": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "85.00%",
"event.type": "15.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "85.00%",
"process.args": "5.00%",
"process.executable": "5.00%",
"process.name": "15.00%",
"process.parent.args": "5.00%",
"process.parent.command_line": "5.00%",
"process.parent.name": "10.00%",
"process.pe.original_file_name": "5.00%",
"process.working_directory": "5.00%",
"user.id": "70.00%"
},
"rule_count": 20
}
},
"T1059.002": {
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1059.003": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "80.00%",
"process.args": "60.00%",
"process.name": "100.00%",
"process.parent.args": "20.00%",
"process.parent.command_line": "20.00%",
"process.parent.executable": "20.00%",
"process.parent.name": "40.00%"
},
"rule_count": 5
}
},
"T1059.004": {
"network,process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.id": "25.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "25.00%",
"process.command_line": "25.00%",
"process.executable": "75.00%",
"process.name": "75.00%",
"process.parent.args": "25.00%",
"process.parent.command_line": "25.00%",
"process.parent.executable": "50.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "25.00%"
},
"rule_count": 4
}
},
"T1059.006": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 2
}
},
"T1059.007": {
"network,process": {
"fields": {
"destination.port": "50.00%",
"event.action": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "50.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.parent.pid": "50.00%",
"process.pid": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1068": {
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.DnsHostName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.event_data.TargetUserName": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "75.00%",
"file.extension": "50.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "25.00%",
"process.name": "75.00%",
"user.id": "25.00%"
},
"rule_count": 4
},
"generic": {
"fields": {
"endgame.event_subtype_full": "66.67%",
"endgame.metadata.type": "66.67%",
"event.action": "100.00%",
"event.code": "33.33%",
"event.kind": "66.67%",
"event.module": "66.67%",
"host.os.type": "33.33%",
"winlog.event_data.AttributeLDAPDisplayName": "33.33%",
"winlog.event_data.OperationType": "33.33%",
"winlog.event_data.SubjectUserSid": "33.33%"
},
"rule_count": 3
},
"library,network,process": {
"fields": {
"destination.port": "100.00%",
"dll.name": "100.00%",
"dns.question.name": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.protocol": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.entity_id": "100.00%",
"process.parent.name": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "20.00%",
"event.category": "40.00%",
"event.type": "100.00%",
"host.os.type": "80.00%",
"process.Ext.token.integrity_level_name": "40.00%",
"process.args": "40.00%",
"process.command_line": "20.00%",
"process.executable": "40.00%",
"process.name": "60.00%",
"process.parent.executable": "20.00%",
"process.parent.name": "60.00%",
"process.pe.original_file_name": "20.00%",
"process.working_directory": "20.00%",
"user.name": "40.00%",
"winlog.event_data.IntegrityLevel": "40.00%"
},
"rule_count": 5
},
"registry": {
"fields": {
"host.id": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1069": {
"iam": {
"fields": {
"event.action": "100.00%",
"group.name": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.CallerProcessName": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetSid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "25.00%",
"event.type": "75.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "25.00%",
"process.args": "75.00%",
"process.name": "75.00%",
"process.parent.executable": "25.00%",
"process.parent.name": "25.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "25.00%"
},
"rule_count": 4
}
},
"T1069.001": {
"iam": {
"fields": {
"event.action": "100.00%",
"group.name": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.CallerProcessName": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetSid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "33.33%",
"event.type": "66.67%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "33.33%",
"process.args": "66.67%",
"process.name": "66.67%",
"process.parent.executable": "33.33%",
"process.parent.name": "33.33%",
"process.pe.original_file_name": "33.33%",
"user.id": "33.33%"
},
"rule_count": 3
}
},
"T1069.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 2
}
},
"T1070": {
"file": {
"fields": {
"event.action": "25.00%",
"event.code": "25.00%",
"event.type": "75.00%",
"file.extension": "25.00%",
"file.name": "25.00%",
"file.path": "50.00%",
"host.os.type": "75.00%",
"process.executable": "25.00%",
"process.name": "25.00%",
"user.name": "25.00%"
},
"rule_count": 4
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "50.00%",
"event.outcome": "50.00%",
"event.provider": "50.00%",
"host.os.type": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "14.29%",
"event.type": "100.00%",
"host.os.type": "71.43%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "57.14%",
"user.id": "14.29%"
},
"rule_count": 7
}
},
"T1070.001": {
"generic": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 2
}
},
"T1070.002": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1070.003": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "50.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1070.004": {
"file": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1070.006": {
"file": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1071": {
"library,network,process": {
"fields": {
"dll.name": "100.00%",
"dns.question.name": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%",
"process.parent.args": "100.00%",
"process.parent.name": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"network": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"http.request.body.content": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"network or network_traffic": {
"fields": {
"event.category": "100.00%",
"tls.server.hash.md5": "100.00%",
"tls.server.hash.sha1": "100.00%",
"tls.server.hash.sha256": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "50.00%",
"event.action": "50.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.args_count": "50.00%",
"process.entity_id": "50.00%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1071.001": {
"network": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"http.request.body.content": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"network or network_traffic": {
"fields": {
"event.category": "100.00%",
"tls.server.hash.md5": "100.00%",
"tls.server.hash.sha1": "100.00%",
"tls.server.hash.sha256": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "50.00%",
"event.action": "50.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.args_count": "50.00%",
"process.entity_id": "50.00%",
"process.name": "100.00%",
"process.parent.name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
}
},
"T1071.004": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1074": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.application.name": "100.00%"
},
"rule_count": 1
}
},
"T1074.002": {
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.application.name": "100.00%"
},
"rule_count": 1
}
},
"T1078": {
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.DnsHostName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.event_data.TargetUserName": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"aws.cloudtrail.console_login.additional_eventdata.mfa_used": "3.45%",
"aws.cloudtrail.user_identity.type": "10.34%",
"azure.activitylogs.operation_name": "6.90%",
"azure.auditlogs.operation_name": "13.79%",
"azure.auditlogs.properties.target_resources.*.display_name": "6.90%",
"azure.signinlogs.properties.app_display_name": "3.45%",
"azure.signinlogs.properties.risk_level_aggregated": "3.45%",
"azure.signinlogs.properties.risk_level_during_signin": "3.45%",
"azure.signinlogs.properties.risk_state": "3.45%",
"azure.signinlogs.properties.token_issuer_type": "3.45%",
"event.action": "55.17%",
"event.code": "3.45%",
"event.dataset": "100.00%",
"event.outcome": "58.62%",
"event.provider": "20.69%",
"event.type": "6.90%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "6.90%",
"kubernetes.audit.objectRef.namespace": "3.45%",
"kubernetes.audit.objectRef.resource": "6.90%",
"kubernetes.audit.requestObject.spec.serviceAccountName": "3.45%",
"kubernetes.audit.user.username": "3.45%",
"kubernetes.audit.verb": "3.45%"
},
"rule_count": 29
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "50.00%",
"event.dataset": "50.00%",
"host.os.type": "50.00%",
"winlog.event_data.NewTargetUserName": "50.00%",
"winlog.event_data.OldTargetUserName": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "66.67%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "66.67%",
"process.command_line": "16.67%",
"process.name": "100.00%",
"process.parent.name": "33.33%",
"process.pe.original_file_name": "16.67%"
},
"rule_count": 6
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
}
},
"T1078.001": {
"generic": {
"fields": {
"event.dataset": "100.00%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "100.00%",
"kubernetes.audit.objectRef.namespace": "50.00%",
"kubernetes.audit.objectRef.resource": "100.00%",
"kubernetes.audit.requestObject.spec.serviceAccountName": "50.00%",
"kubernetes.audit.user.username": "50.00%",
"kubernetes.audit.verb": "50.00%"
},
"rule_count": 2
}
},
"T1078.002": {
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "100.00%",
"user.name": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.DnsHostName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.SubjectUserName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.event_data.TargetUserName": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.NewTargetUserName": "100.00%",
"winlog.event_data.OldTargetUserName": "100.00%"
},
"rule_count": 1
}
},
"T1078.003": {
"process": {
"fields": {
"event.category": "75.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "25.00%",
"process.pe.original_file_name": "25.00%"
},
"rule_count": 4
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1078.004": {
"generic": {
"fields": {
"azure.signinlogs.properties.app_display_name": "100.00%",
"azure.signinlogs.properties.token_issuer_type": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%"
},
"rule_count": 1
}
},
"T1080": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"event.dataset": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
}
},
"T1082": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "83.33%",
"process.args": "83.33%",
"process.name": "66.67%",
"process.parent.executable": "16.67%",
"process.pe.original_file_name": "16.67%",
"user.id": "16.67%",
"user.name": "16.67%"
},
"rule_count": 6
}
},
"T1083": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1087": {
"process": {
"fields": {
"event.category": "16.67%",
"event.type": "83.33%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "16.67%",
"process.args": "66.67%",
"process.name": "83.33%",
"process.parent.executable": "16.67%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "16.67%"
},
"rule_count": 6
}
},
"T1087.001": {
"process": {
"fields": {
"event.category": "25.00%",
"event.type": "75.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "25.00%",
"process.args": "75.00%",
"process.name": "75.00%",
"process.parent.executable": "25.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "25.00%"
},
"rule_count": 4
}
},
"T1087.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "66.67%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 3
}
},
"T1095": {
"network,process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1098": {
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.event_data.TargetSid": "100.00%",
"winlog.event_data.TargetUserName": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"azure.auditlogs.operation_name": "25.00%",
"azure.auditlogs.properties.category": "10.00%",
"azure.auditlogs.properties.target_resources.*.display_name": "5.00%",
"azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value": "5.00%",
"event.action": "75.00%",
"event.code": "15.00%",
"event.dataset": "90.00%",
"event.outcome": "60.00%",
"event.provider": "25.00%",
"host.os.type": "10.00%",
"message": "5.00%",
"o365.audit.ModifiedProperties.Role_DisplayName.NewValue": "5.00%",
"o365.audit.Parameters.AccessRights": "5.00%",
"user.id": "10.00%",
"winlog.event_data.AllowedToDelegateTo": "5.00%"
},
"rule_count": 20
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "75.00%",
"event.dataset": "75.00%",
"event.provider": "50.00%",
"event.type": "12.50%",
"google_workspace.admin.role.name": "12.50%",
"google_workspace.admin.setting.name": "12.50%",
"google_workspace.event.type": "25.00%",
"group.name": "12.50%",
"host.os.type": "25.00%",
"winlog.event_data.NewTargetUserName": "12.50%",
"winlog.event_data.OldTargetUserName": "12.50%"
},
"rule_count": 8
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.AllowFederatedUsers": "33.33%",
"o365.audit.Parameters.AllowGuestUser": "33.33%"
},
"rule_count": 3
}
},
"T1098.002": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.AccessRights": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1098.003": {
"generic": {
"fields": {
"azure.auditlogs.operation_name": "50.00%",
"azure.auditlogs.properties.category": "50.00%",
"azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value": "50.00%",
"event.action": "50.00%",
"event.code": "50.00%",
"event.dataset": "100.00%",
"o365.audit.ModifiedProperties.Role_DisplayName.NewValue": "50.00%"
},
"rule_count": 2
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.type": "50.00%",
"google_workspace.admin.role.name": "50.00%",
"google_workspace.event.type": "100.00%"
},
"rule_count": 2
}
},
"T1098.004": {
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
}
},
"T1102": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1105": {
"file": {
"fields": {
"event.action": "50.00%",
"event.type": "50.00%",
"file.Ext.header_bytes": "50.00%",
"file.Ext.original.name": "50.00%",
"file.extension": "100.00%",
"file.name": "50.00%",
"file.path": "50.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 2
},
"file,network": {
"fields": {
"destination.ip": "50.00%",
"dns.question.name": "50.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "50.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "50.00%",
"network.protocol": "100.00%",
"network.type": "50.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"user.domain": "50.00%"
},
"rule_count": 2
},
"network or network_traffic": {
"fields": {
"destination.ip": "100.00%",
"event.category": "100.00%",
"network.protocol": "100.00%",
"source.ip": "100.00%",
"url.extension": "100.00%",
"url.path": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.id": "33.33%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 3
}
},
"T1106": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "80.00%",
"event.type": "20.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "80.00%",
"process.executable": "20.00%",
"process.name": "20.00%",
"process.parent.name": "20.00%",
"user.id": "80.00%"
},
"rule_count": 5
}
},
"T1110": {
"any": {
"fields": {
"event.action": "100.00%",
"event.module": "100.00%",
"user.email": "100.00%"
},
"rule_count": 1
},
"authentication": {
"fields": {
"event.action": "80.00%",
"event.category": "40.00%",
"event.dataset": "40.00%",
"event.outcome": "40.00%",
"event.provider": "30.00%",
"host.id": "30.00%",
"host.os.type": "60.00%",
"o365.audit.LogonError": "20.00%",
"source.ip": "60.00%",
"user.domain": "20.00%",
"user.name": "60.00%",
"winlog.computer_name": "30.00%",
"winlog.event_data.Status": "30.00%",
"winlog.logon.type": "30.00%"
},
"rule_count": 10
},
"generic": {
"fields": {
"aws.cloudtrail.error_code": "33.33%",
"aws.cloudtrail.user_identity.type": "33.33%",
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "66.67%",
"event.provider": "66.67%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1110.001": {
"authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "50.00%",
"host.id": "50.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "33.33%",
"user.name": "100.00%",
"winlog.computer_name": "50.00%",
"winlog.event_data.Status": "50.00%",
"winlog.logon.type": "50.00%"
},
"rule_count": 6
}
},
"T1110.003": {
"authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "50.00%",
"host.id": "50.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"user.domain": "33.33%",
"user.name": "100.00%",
"winlog.computer_name": "50.00%",
"winlog.event_data.Status": "50.00%",
"winlog.logon.type": "50.00%"
},
"rule_count": 6
}
},
"T1111": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%"
},
"rule_count": 1
}
},
"T1112": {
"registry": {
"fields": {
"event.type": "16.67%",
"host.os.type": "100.00%",
"process.executable": "33.33%",
"process.name": "33.33%",
"registry.data.strings": "83.33%",
"registry.path": "83.33%",
"user.id": "16.67%"
},
"rule_count": 6
}
},
"T1113": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1114": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.setting.name": "100.00%",
"google_workspace.event.type": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "25.00%",
"event.category": "50.00%",
"event.type": "25.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "50.00%",
"process.Ext.effective_parent.executable": "25.00%",
"process.Ext.effective_parent.name": "25.00%",
"process.command_line": "25.00%",
"process.name": "50.00%"
},
"rule_count": 4
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.ForwardAsAttachmentTo": "100.00%",
"o365.audit.Parameters.ForwardTo": "100.00%",
"o365.audit.Parameters.RedirectTo": "100.00%"
},
"rule_count": 1
}
},
"T1114.001": {
"process": {
"fields": {
"event.action": "33.33%",
"event.category": "66.67%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "66.67%",
"process.Ext.effective_parent.executable": "33.33%",
"process.Ext.effective_parent.name": "33.33%",
"process.name": "33.33%"
},
"rule_count": 3
}
},
"T1114.002": {
"process": {
"fields": {
"event.category": "66.67%",
"event.type": "33.33%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "66.67%",
"process.command_line": "33.33%",
"process.name": "33.33%"
},
"rule_count": 3
}
},
"T1114.003": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.setting.name": "100.00%",
"google_workspace.event.type": "100.00%"
},
"rule_count": 1
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.ForwardAsAttachmentTo": "100.00%",
"o365.audit.Parameters.ForwardTo": "100.00%",
"o365.audit.Parameters.RedirectTo": "100.00%"
},
"rule_count": 1
}
},
"T1115": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1120": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1123": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1124": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1127": {
"network,process": {
"fields": {
"destination.ip": "50.00%",
"dns.question.name": "25.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"source.ip": "25.00%"
},
"rule_count": 4
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
}
},
"T1127.001": {
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"source.ip": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
}
},
"T1129": {
"file": {
"fields": {
"file.extension": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
}
},
"T1133": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "66.67%",
"event.dataset": "100.00%",
"event.outcome": "66.67%",
"event.provider": "66.67%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "33.33%",
"kubernetes.audit.objectRef.resource": "33.33%",
"kubernetes.audit.requestObject.spec.type": "33.33%",
"kubernetes.audit.verb": "33.33%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1134": {
"any": {
"fields": {
"event.action": "100.00%",
"event.provider": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.EnabledPrivilegeList": "100.00%",
"winlog.event_data.ProcessName": "100.00%",
"winlog.event_data.SubjectUserSid": "100.00%"
},
"rule_count": 1
},
"authentication,process": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.id": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.LogonProcessName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.action": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"endgame.event_subtype_full": "100.00%",
"endgame.metadata.type": "100.00%",
"event.action": "100.00%",
"event.kind": "100.00%",
"event.module": "100.00%"
},
"rule_count": 4
},
"process": {
"fields": {
"event.action": "40.00%",
"event.category": "20.00%",
"event.type": "40.00%",
"host.id": "20.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "20.00%",
"process.Ext.effective_parent.executable": "20.00%",
"process.Ext.token.integrity_level_name": "20.00%",
"process.args": "20.00%",
"process.code_signature.exists": "20.00%",
"process.code_signature.status": "20.00%",
"process.code_signature.subject_name": "40.00%",
"process.code_signature.trusted": "40.00%",
"process.executable": "60.00%",
"process.name": "20.00%",
"process.parent.Ext.real.pid": "40.00%",
"process.parent.args": "20.00%",
"process.parent.executable": "40.00%",
"process.parent.name": "20.00%",
"process.pe.original_file_name": "40.00%",
"process.pid": "20.00%",
"user.id": "80.00%"
},
"rule_count": 5
}
},
"T1134.001": {
"process": {
"fields": {
"event.category": "100.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1134.002": {
"authentication,process": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.id": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.LogonProcessName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"process.Ext.effective_parent.executable": "50.00%",
"process.code_signature.subject_name": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.executable": "100.00%",
"process.parent.Ext.real.pid": "50.00%",
"process.parent.args": "50.00%",
"process.parent.executable": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1134.003": {
"authentication,process": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"source.ip": "100.00%",
"user.id": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.LogonProcessName": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%"
},
"rule_count": 1
}
},
"T1134.004": {
"process": {
"fields": {
"event.action": "50.00%",
"event.type": "50.00%",
"host.id": "50.00%",
"host.os.type": "100.00%",
"process.Ext.token.integrity_level_name": "50.00%",
"process.code_signature.exists": "50.00%",
"process.code_signature.status": "50.00%",
"process.code_signature.subject_name": "50.00%",
"process.code_signature.trusted": "50.00%",
"process.executable": "100.00%",
"process.name": "50.00%",
"process.parent.Ext.real.pid": "100.00%",
"process.parent.executable": "50.00%",
"process.parent.name": "50.00%",
"process.pe.original_file_name": "50.00%",
"process.pid": "50.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1135": {
"process": {
"fields": {
"event.category": "66.67%",
"event.type": "33.33%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "66.67%",
"process.args": "33.33%",
"process.name": "33.33%",
"process.parent.name": "33.33%",
"process.pe.original_file_name": "33.33%",
"user.id": "66.67%"
},
"rule_count": 3
}
},
"T1136": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "20.00%",
"event.dataset": "80.00%",
"event.module": "20.00%",
"event.outcome": "60.00%",
"event.provider": "40.00%",
"host.os.type": "20.00%"
},
"rule_count": 5
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1136.001": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"event.module": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1136.002": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"event.module": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
}
},
"T1136.003": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
}
},
"T1137": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "50.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 2
}
},
"T1140": {
"process": {
"fields": {
"event.category": "75.00%",
"event.type": "50.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "50.00%",
"process.args": "25.00%",
"process.name": "50.00%",
"process.pe.original_file_name": "25.00%",
"user.id": "50.00%"
},
"rule_count": 4
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%"
},
"rule_count": 1
}
},
"T1189": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1190": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"azure.activitylogs.operation_name": "50.00%",
"event.action": "50.00%",
"event.dataset": "100.00%",
"event.module": "50.00%",
"event.outcome": "50.00%",
"event.type": "50.00%",
"zoom.meeting.password": "50.00%"
},
"rule_count": 2
},
"network or network_traffic": {
"fields": {
"destination.ip": "83.33%",
"destination.port": "100.00%",
"event.action": "16.67%",
"event.category": "100.00%",
"event.dataset": "66.67%",
"network.direction": "16.67%",
"network.transport": "83.33%",
"source.ip": "83.33%"
},
"rule_count": 6
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "33.33%",
"process.name": "66.67%",
"process.parent.args": "33.33%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
}
},
"T1195": {
"network": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"http.request.body.content": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1195.002": {
"network": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"http.request.body.content": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1197": {
"file": {
"fields": {
"event.action": "100.00%",
"file.Ext.header_bytes": "100.00%",
"file.Ext.original.name": "100.00%",
"file.extension": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.parent.args": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1202": {
"file,process": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.command_line": "50.00%",
"process.executable": "75.00%",
"process.name": "75.00%",
"process.parent.command_line": "25.00%",
"process.parent.executable": "50.00%",
"process.parent.name": "25.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 4
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1203": {
"network,process": {
"fields": {
"destination.port": "100.00%",
"event.action": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.parent.pid": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1204": {
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.windows.zone_identifier": "66.67%",
"file.extension": "100.00%",
"file.name": "33.33%",
"file.path": "33.33%",
"host.os.type": "100.00%",
"process.entity_id": "66.67%",
"process.executable": "33.33%",
"process.name": "33.33%"
},
"rule_count": 3
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1204.002": {
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.windows.zone_identifier": "50.00%",
"file.extension": "100.00%",
"file.name": "50.00%",
"file.path": "50.00%",
"host.os.type": "100.00%",
"process.entity_id": "50.00%",
"process.executable": "50.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1210": {
"network or network_traffic": {
"fields": {
"destination.port": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.type": "100.00%",
"network.bytes": "100.00%",
"type": "100.00%"
},
"rule_count": 1
}
},
"T1211": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1212": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1218": {
"library,process": {
"fields": {
"dll.name": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.subject_name": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "62.50%",
"destination.port": "12.50%",
"event.type": "100.00%",
"host.id": "37.50%",
"host.os.type": "100.00%",
"network.direction": "25.00%",
"network.protocol": "12.50%",
"network.transport": "12.50%",
"process.Ext.token.integrity_level_name": "12.50%",
"process.args": "25.00%",
"process.args_count": "25.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "25.00%",
"process.parent.name": "25.00%",
"source.ip": "12.50%",
"source.port": "12.50%",
"winlog.event_data.IntegrityLevel": "12.50%"
},
"rule_count": 8
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "37.50%",
"process.args_count": "12.50%",
"process.command_line": "12.50%",
"process.entity_id": "12.50%",
"process.executable": "50.00%",
"process.name": "87.50%",
"process.parent.entity_id": "12.50%",
"process.parent.name": "62.50%",
"process.pe.original_file_name": "50.00%",
"process.working_directory": "12.50%"
},
"rule_count": 8
}
},
"T1218.001": {
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1218.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
}
},
"T1218.004": {
"network,process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1218.005": {
"network,process": {
"fields": {
"destination.port": "50.00%",
"event.type": "100.00%",
"host.id": "50.00%",
"host.os.type": "100.00%",
"network.direction": "50.00%",
"network.transport": "50.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "50.00%",
"process.parent.name": "50.00%",
"source.ip": "50.00%",
"source.port": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.working_directory": "100.00%"
},
"rule_count": 1
}
},
"T1218.010": {
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.Ext.token.integrity_level_name": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "100.00%",
"process.parent.name": "100.00%",
"winlog.event_data.IntegrityLevel": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.working_directory": "100.00%"
},
"rule_count": 1
}
},
"T1218.011": {
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.args_count": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args_count": "50.00%",
"process.entity_id": "50.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.entity_id": "50.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "50.00%",
"process.working_directory": "50.00%"
},
"rule_count": 2
}
},
"T1219": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"network or network_traffic": {
"fields": {
"destination.ip": "100.00%",
"destination.port": "100.00%",
"event.category": "100.00%",
"network.transport": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 2
}
},
"T1220": {
"any,library,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.command_line": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"network.direction": "50.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 2
}
},
"T1222": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "50.00%",
"event.action": "50.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"process.parent.executable": "50.00%",
"process.working_directory": "50.00%",
"user.name": "100.00%"
},
"rule_count": 2
}
},
"T1222.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "100.00%",
"process.parent.executable": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
}
},
"T1482": {
"process": {
"fields": {
"event.category": "25.00%",
"event.type": "75.00%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "25.00%",
"process.args": "75.00%",
"process.name": "75.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "25.00%"
},
"rule_count": 4
}
},
"T1484": {
"generic": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "66.67%",
"winlog.event_data.AccessList": "66.67%",
"winlog.event_data.AttributeLDAPDisplayName": "100.00%",
"winlog.event_data.AttributeValue": "100.00%",
"winlog.event_data.RelativeTargetName": "66.67%",
"winlog.event_data.ShareName": "66.67%"
},
"rule_count": 3
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
}
},
"T1484.001": {
"generic": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "66.67%",
"winlog.event_data.AccessList": "66.67%",
"winlog.event_data.AttributeLDAPDisplayName": "100.00%",
"winlog.event_data.AttributeValue": "100.00%",
"winlog.event_data.RelativeTargetName": "66.67%",
"winlog.event_data.ShareName": "66.67%"
},
"rule_count": 3
}
},
"T1484.002": {
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
}
},
"T1485": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "14.29%",
"event.action": "85.71%",
"event.dataset": "100.00%",
"event.outcome": "85.71%",
"event.provider": "71.43%"
},
"rule_count": 7
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
}
},
"T1486": {
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
}
},
"T1489": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "50.00%",
"event.provider": "50.00%"
},
"rule_count": 4
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 2
}
},
"T1490": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "80.00%"
},
"rule_count": 5
}
},
"T1496": {
"generic": {
"fields": {
"azure.auditlogs.operation_name": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
}
},
"T1497": {
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
}
},
"T1498": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%"
},
"rule_count": 1
}
},
"T1499": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%"
},
"rule_count": 1
}
},
"T1505": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
}
},
"T1505.003": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 2
}
},
"T1518": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "66.67%",
"process.args": "66.67%",
"process.name": "100.00%",
"process.parent.executable": "33.33%",
"process.parent.name": "33.33%",
"process.pe.original_file_name": "33.33%",
"user.id": "33.33%"
},
"rule_count": 3
}
},
"T1518.001": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "50.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "50.00%",
"process.pe.original_file_name": "50.00%",
"user.id": "50.00%"
},
"rule_count": 2
}
},
"T1526": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
}
},
"T1528": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "66.67%",
"azure.auditlogs.operation_name": "33.33%",
"event.action": "33.33%",
"event.dataset": "100.00%",
"event.outcome": "66.67%",
"event.provider": "33.33%",
"o365.audit.Operation": "33.33%"
},
"rule_count": 3
}
},
"T1530": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "20.00%",
"event.action": "80.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "40.00%"
},
"rule_count": 5
}
},
"T1531": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "85.71%",
"event.provider": "42.86%"
},
"rule_count": 7
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.provider": "100.00%",
"google_workspace.admin.new_value": "50.00%"
},
"rule_count": 2
}
},
"T1537": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "25.00%",
"event.action": "75.00%",
"event.dataset": "100.00%",
"event.outcome": "75.00%",
"event.provider": "50.00%"
},
"rule_count": 4
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
}
},
"T1539": {
"process": {
"fields": {
"event.category": "33.33%",
"event.type": "100.00%",
"host.os.type": "66.67%",
"process.args": "100.00%",
"process.name": "66.67%",
"process.parent.executable": "33.33%"
},
"rule_count": 3
}
},
"T1543": {
"any": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.ImagePath": "100.00%",
"winlog.event_data.ServiceFileName": "100.00%"
},
"rule_count": 1
},
"any,authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.AuthenticationPackageName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.ServiceFileName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.logon.id": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"driver": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.action": "20.00%",
"event.category": "60.00%",
"event.type": "80.00%",
"file.name": "40.00%",
"file.path": "100.00%",
"host.os.type": "80.00%",
"process.executable": "40.00%",
"process.name": "40.00%",
"user.name": "20.00%"
},
"rule_count": 5
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 2
},
"generic": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.ClientProcessId": "100.00%",
"winlog.event_data.ParentProcessId": "100.00%"
},
"rule_count": 1
},
"library": {
"fields": {
"dll.Ext.relative_file_creation_time": "100.00%",
"dll.code_signature.status": "100.00%",
"dll.code_signature.trusted": "100.00%",
"dll.hash.sha256": "100.00%",
"dll.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "20.00%",
"event.category": "20.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "60.00%",
"process.executable": "40.00%",
"process.name": "80.00%",
"process.parent.args": "20.00%",
"process.parent.executable": "80.00%",
"process.parent.name": "20.00%"
},
"rule_count": 5
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.executable": "25.00%",
"process.name": "50.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.id": "25.00%"
},
"rule_count": 4
}
},
"T1543.001": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "100.00%"
},
"rule_count": 1
}
},
"T1543.002": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
}
},
"T1543.003": {
"any": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.ImagePath": "100.00%",
"winlog.event_data.ServiceFileName": "100.00%"
},
"rule_count": 1
},
"any,authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.AuthenticationPackageName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"authentication,iam": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.ServiceFileName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.logon.id": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"driver": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.ClientProcessId": "100.00%",
"winlog.event_data.ParentProcessId": "100.00%"
},
"rule_count": 1
},
"library": {
"fields": {
"dll.Ext.relative_file_creation_time": "100.00%",
"dll.code_signature.status": "100.00%",
"dll.code_signature.trusted": "100.00%",
"dll.hash.sha256": "100.00%",
"dll.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"network,process": {
"fields": {
"destination.ip": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.args": "50.00%",
"process.parent.executable": "50.00%",
"process.parent.name": "50.00%"
},
"rule_count": 2
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.executable": "33.33%",
"process.name": "66.67%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 3
}
},
"T1546": {
"file": {
"fields": {
"event.action": "20.00%",
"event.category": "40.00%",
"event.type": "80.00%",
"file.name": "40.00%",
"file.path": "100.00%",
"host.os.type": "80.00%",
"process.code_signature.exists": "20.00%",
"process.code_signature.trusted": "20.00%",
"process.executable": "60.00%",
"process.name": "40.00%"
},
"rule_count": 5
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "71.43%",
"process.name": "57.14%",
"process.parent.name": "57.14%",
"process.pe.original_file_name": "42.86%",
"user.name": "28.57%"
},
"rule_count": 7
},
"process,registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.executable": "50.00%",
"process.name": "25.00%",
"registry.data.strings": "50.00%",
"registry.path": "100.00%",
"user.domain": "25.00%"
},
"rule_count": 4
}
},
"T1546.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1546.003": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1546.004": {
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1546.008": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%",
"user.name": "100.00%"
},
"rule_count": 2
}
},
"T1546.009": {
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1546.010": {
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.executable": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1546.011": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 2
},
"process,registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1546.012": {
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1546.013": {
"file": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
}
},
"T1546.014": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1546.015": {
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
}
},
"T1547": {
"file": {
"fields": {
"event.category": "42.86%",
"event.type": "100.00%",
"file.extension": "14.29%",
"file.name": "14.29%",
"file.path": "85.71%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "14.29%",
"process.name": "85.71%",
"process.pid": "14.29%",
"user.domain": "28.57%"
},
"rule_count": 7
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%",
"winlog.event_data.AccessList": "100.00%",
"winlog.event_data.AttributeLDAPDisplayName": "100.00%",
"winlog.event_data.AttributeValue": "100.00%",
"winlog.event_data.RelativeTargetName": "100.00%",
"winlog.event_data.ShareName": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "40.00%",
"event.type": "100.00%",
"host.id": "20.00%",
"host.os.type": "100.00%",
"process.args": "80.00%",
"process.command_line": "20.00%",
"process.executable": "20.00%",
"process.name": "60.00%",
"process.parent.name": "20.00%",
"process.pe.original_file_name": "20.00%",
"user.name": "20.00%"
},
"rule_count": 5
},
"registry": {
"fields": {
"event.type": "45.45%",
"host.os.type": "100.00%",
"process.executable": "27.27%",
"process.name": "27.27%",
"registry.data.strings": "63.64%",
"registry.path": "100.00%",
"registry.value": "9.09%",
"user.id": "45.45%"
},
"rule_count": 11
}
},
"T1547.001": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.pid": "33.33%",
"user.domain": "66.67%"
},
"rule_count": 3
},
"file,process": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.executable": "40.00%",
"process.name": "60.00%",
"registry.data.strings": "80.00%",
"registry.path": "100.00%",
"registry.value": "20.00%",
"user.id": "20.00%"
},
"rule_count": 5
}
},
"T1547.002": {
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.path": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1547.003": {
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1547.005": {
"registry": {
"fields": {
"host.os.type": "100.00%",
"process.executable": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1547.006": {
"process": {
"fields": {
"event.category": "66.67%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "33.33%",
"process.name": "33.33%"
},
"rule_count": 3
}
},
"T1547.010": {
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.id": "100.00%"
},
"rule_count": 2
}
},
"T1548": {
"file": {
"fields": {
"event.category": "33.33%",
"event.type": "100.00%",
"file.name": "33.33%",
"file.path": "100.00%",
"host.os.type": "66.67%",
"process.executable": "33.33%",
"process.name": "33.33%",
"user.name": "33.33%"
},
"rule_count": 3
},
"generic": {
"fields": {
"aws.cloudtrail.user_identity.session_context.session_issuer.type": "50.00%",
"aws.cloudtrail.user_identity.type": "50.00%",
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "23.08%",
"event.type": "100.00%",
"host.os.type": "92.31%",
"process.args": "53.85%",
"process.command_line": "15.38%",
"process.entity_id": "7.69%",
"process.executable": "38.46%",
"process.name": "46.15%",
"process.parent.args": "30.77%",
"process.parent.entity_id": "7.69%",
"process.parent.name": "53.85%",
"process.pe.original_file_name": "7.69%"
},
"rule_count": 13
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 2
}
},
"T1548.002": {
"file": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "37.50%",
"process.entity_id": "12.50%",
"process.executable": "62.50%",
"process.name": "37.50%",
"process.parent.args": "50.00%",
"process.parent.entity_id": "12.50%",
"process.parent.name": "75.00%",
"process.pe.original_file_name": "12.50%"
},
"rule_count": 8
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 2
}
},
"T1548.003": {
"file": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "50.00%",
"process.executable": "50.00%",
"user.name": "50.00%"
},
"rule_count": 2
},
"network,process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"process.args": "100.00%"
},
"rule_count": 1
}
},
"T1548.004": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%"
},
"rule_count": 1
}
},
"T1550": {
"generic": {
"fields": {
"aws.cloudtrail.user_identity.session_context.session_issuer.type": "20.00%",
"aws.cloudtrail.user_identity.type": "20.00%",
"azure.auditlogs.operation_name": "40.00%",
"event.action": "60.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "60.00%"
},
"rule_count": 5
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%"
},
"rule_count": 1
}
},
"T1550.001": {
"generic": {
"fields": {
"aws.cloudtrail.user_identity.session_context.session_issuer.type": "20.00%",
"aws.cloudtrail.user_identity.type": "20.00%",
"azure.auditlogs.operation_name": "40.00%",
"event.action": "60.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "60.00%"
},
"rule_count": 5
}
},
"T1550.003": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%"
},
"rule_count": 1
}
},
"T1552": {
"file": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"azure.activitylogs.operation_name": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.name": "100.00%",
"process.parent.args": "50.00%",
"process.parent.command_line": "50.00%",
"process.parent.name": "50.00%"
},
"rule_count": 2
}
},
"T1552.001": {
"generic": {
"fields": {
"azure.activitylogs.operation_name": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1552.004": {
"file": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
}
},
"T1553": {
"generic": {
"fields": {
"event.provider": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%"
},
"rule_count": 1
},
"library": {
"fields": {
"dll.code_signature.status": "100.00%",
"dll.code_signature.trusted": "100.00%",
"host.os.type": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "66.67%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "33.33%",
"process.name": "66.67%",
"process.parent.executable": "33.33%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "33.33%",
"registry.data.strings": "66.67%",
"registry.path": "100.00%",
"registry.value": "33.33%"
},
"rule_count": 3
}
},
"T1553.002": {
"generic": {
"fields": {
"event.provider": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%"
},
"rule_count": 1
}
},
"T1553.003": {
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1553.004": {
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1553.006": {
"library": {
"fields": {
"dll.code_signature.status": "100.00%",
"dll.code_signature.trusted": "100.00%",
"host.os.type": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"registry.value": "100.00%"
},
"rule_count": 1
}
},
"T1554": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.name": "50.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 2
}
},
"T1555": {
"any": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.Resource": "100.00%",
"winlog.event_data.SchemaFriendlyName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.process.pid": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "12.50%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "12.50%",
"process.name": "50.00%",
"process.parent.executable": "37.50%",
"process.pe.original_file_name": "25.00%"
},
"rule_count": 8
}
},
"T1555.001": {
"process": {
"fields": {
"event.category": "25.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "25.00%",
"process.name": "25.00%",
"process.parent.executable": "50.00%"
},
"rule_count": 4
}
},
"T1555.003": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "50.00%",
"process.parent.executable": "50.00%"
},
"rule_count": 2
}
},
"T1555.004": {
"any": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.Resource": "100.00%",
"winlog.event_data.SchemaFriendlyName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.process.pid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1556": {
"file": {
"fields": {
"event.category": "66.67%",
"event.type": "100.00%",
"file.extension": "33.33%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "66.67%",
"process.executable": "66.67%",
"process.name": "33.33%"
},
"rule_count": 3
},
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "33.33%",
"event.dataset": "66.67%",
"host.os.type": "33.33%",
"winlog.event_data.AttributeLDAPDisplayName": "33.33%",
"winlog.event_data.AttributeValue": "33.33%",
"winlog.event_data.SubjectUserName": "33.33%"
},
"rule_count": 3
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.provider": "100.00%",
"google_workspace.admin.new_value": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%",
"o365.audit.Parameters.Enabled": "100.00%"
},
"rule_count": 1
}
},
"T1558": {
"any,authentication": {
"fields": {
"event.action": "100.00%",
"event.outcome": "100.00%",
"host.os.type": "100.00%",
"source.ip": "100.00%",
"source.port": "100.00%",
"winlog.computer_name": "100.00%",
"winlog.event_data.AuthenticationPackageName": "100.00%",
"winlog.event_data.SubjectLogonId": "100.00%",
"winlog.event_data.TargetLogonId": "100.00%",
"winlog.logon.type": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "66.67%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "33.33%",
"winlog.event_data.AllowedToDelegateTo": "33.33%",
"winlog.event_data.AttributeLDAPDisplayName": "33.33%",
"winlog.event_data.ObjectClass": "33.33%"
},
"rule_count": 3
},
"network": {
"fields": {
"destination.address": "100.00%",
"destination.port": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"process.executable": "100.00%",
"process.pid": "100.00%",
"source.port": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "66.67%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "33.33%",
"process.args": "66.67%",
"process.name": "33.33%",
"user.id": "33.33%"
},
"rule_count": 3
}
},
"T1558.003": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.code": "100.00%",
"host.os.type": "100.00%",
"winlog.event_data.AttributeLDAPDisplayName": "100.00%",
"winlog.event_data.ObjectClass": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "66.67%",
"host.os.type": "100.00%",
"powershell.file.script_block_text": "33.33%",
"process.args": "66.67%",
"process.name": "33.33%",
"user.id": "33.33%"
},
"rule_count": 3
}
},
"T1558.004": {
"generic": {
"fields": {
"event.code": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%"
},
"rule_count": 1
}
},
"T1559": {
"library,network,process": {
"fields": {
"dll.name": "100.00%",
"dns.question.name": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%",
"process.parent.args": "100.00%",
"process.parent.name": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "50.00%",
"event.type": "50.00%",
"host.os.type": "100.00%",
"process.Ext.effective_parent.executable": "50.00%",
"process.Ext.effective_parent.name": "50.00%",
"process.args": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1559.001": {
"library,network,process": {
"fields": {
"dll.name": "100.00%",
"dns.question.name": "100.00%",
"event.type": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.name": "100.00%",
"process.parent.args": "100.00%",
"process.parent.name": "100.00%",
"user.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "50.00%",
"event.type": "50.00%",
"host.os.type": "100.00%",
"process.Ext.effective_parent.executable": "50.00%",
"process.Ext.effective_parent.name": "50.00%",
"process.args": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1560": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.code_signature.subject_name": "50.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1560.001": {
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.code_signature.subject_name": "50.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
}
},
"T1562": {
"configuration or iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.application.name": "50.00%",
"google_workspace.admin.new_value": "100.00%",
"google_workspace.admin.setting.name": "100.00%",
"google_workspace.event.type": "50.00%"
},
"rule_count": 2
},
"file": {
"fields": {
"event.action": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"azure.activitylogs.operation_name": "18.60%",
"event.action": "81.40%",
"event.dataset": "100.00%",
"event.outcome": "67.44%",
"event.provider": "34.88%"
},
"rule_count": 43
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.provider": "50.00%",
"event.type": "50.00%",
"google_workspace.admin.application.name": "50.00%",
"google_workspace.admin.new_value": "50.00%",
"google_workspace.admin.old_value": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.action": "15.00%",
"event.category": "35.00%",
"event.type": "90.00%",
"host.os.type": "95.00%",
"powershell.file.script_block_text": "5.00%",
"process.args": "95.00%",
"process.args_count": "10.00%",
"process.command_line": "5.00%",
"process.name": "90.00%",
"process.parent.executable": "5.00%",
"process.parent.name": "5.00%",
"process.pe.original_file_name": "30.00%"
},
"rule_count": 20
},
"registry": {
"fields": {
"event.type": "71.43%",
"host.os.type": "100.00%",
"process.executable": "14.29%",
"process.name": "14.29%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 7
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 4
}
},
"T1562.001": {
"configuration or iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"google_workspace.admin.application.name": "50.00%",
"google_workspace.admin.new_value": "100.00%",
"google_workspace.admin.setting.name": "100.00%",
"google_workspace.event.type": "50.00%"
},
"rule_count": 2
},
"file": {
"fields": {
"event.action": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"azure.activitylogs.operation_name": "35.00%",
"event.action": "65.00%",
"event.dataset": "100.00%",
"event.outcome": "95.00%",
"event.provider": "60.00%"
},
"rule_count": 20
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.type": "100.00%",
"google_workspace.admin.application.name": "100.00%",
"google_workspace.admin.new_value": "100.00%",
"google_workspace.admin.old_value": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.action": "14.29%",
"event.category": "50.00%",
"event.type": "92.86%",
"host.os.type": "92.86%",
"powershell.file.script_block_text": "7.14%",
"process.args": "92.86%",
"process.args_count": "14.29%",
"process.command_line": "7.14%",
"process.name": "85.71%",
"process.parent.executable": "7.14%",
"process.pe.original_file_name": "14.29%"
},
"rule_count": 14
},
"registry": {
"fields": {
"event.type": "50.00%",
"host.os.type": "100.00%",
"process.executable": "25.00%",
"process.name": "25.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 4
}
},
"T1562.002": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1562.004": {
"process": {
"fields": {
"event.action": "25.00%",
"event.type": "75.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 4
}
},
"T1562.006": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 2
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1562.007": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "33.33%",
"event.provider": "20.00%"
},
"rule_count": 15
},
"iam": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
}
},
"T1563": {
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"file.path": "50.00%",
"host.os.type": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%"
},
"rule_count": 2
}
},
"T1563.001": {
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"file.path": "50.00%",
"host.os.type": "50.00%",
"process.executable": "50.00%",
"process.name": "50.00%"
},
"rule_count": 2
}
},
"T1564": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "66.67%",
"file.name": "33.33%",
"file.path": "66.67%",
"host.os.type": "100.00%",
"process.executable": "33.33%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.category": "25.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "75.00%",
"process.args_count": "25.00%",
"process.name": "75.00%",
"process.parent.executable": "25.00%",
"process.working_directory": "25.00%"
},
"rule_count": 4
}
},
"T1564.001": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "50.00%",
"file.name": "50.00%",
"file.path": "50.00%",
"host.os.type": "100.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.category": "33.33%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "66.67%",
"process.name": "100.00%",
"process.parent.executable": "33.33%",
"process.working_directory": "33.33%"
},
"rule_count": 3
}
},
"T1564.004": {
"file": {
"fields": {
"event.type": "100.00%",
"file.extension": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.args_count": "100.00%"
},
"rule_count": 1
}
},
"T1565": {
"any,file,process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
}
},
"T1565.001": {
"any,file,process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 2
}
},
"T1566": {
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.windows.zone_identifier": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "50.00%"
},
"rule_count": 2
},
"file,process": {
"fields": {
"event.action": "33.33%",
"event.type": "66.67%",
"file.Ext.entropy": "33.33%",
"file.extension": "100.00%",
"file.name": "33.33%",
"file.path": "100.00%",
"file.size": "33.33%",
"host.id": "66.67%",
"host.os.type": "100.00%",
"process.args": "33.33%",
"process.args_count": "33.33%",
"process.executable": "66.67%",
"process.name": "100.00%",
"user.id": "33.33%"
},
"rule_count": 3
},
"generic": {
"fields": {
"azure.activitylogs.operation_name": "33.33%",
"azure.auditlogs.operation_name": "33.33%",
"event.action": "66.67%",
"event.dataset": "100.00%",
"event.outcome": "66.67%",
"event.provider": "66.67%",
"o365.audit.Operation": "33.33%",
"rule.name": "33.33%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "20.00%",
"process.name": "100.00%",
"process.parent.args": "20.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "20.00%"
},
"rule_count": 5
},
"web": {
"fields": {
"event.action": "100.00%",
"event.category": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 3
}
},
"T1566.001": {
"any,process": {
"fields": {
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%",
"user.domain": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.windows.zone_identifier": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "50.00%"
},
"rule_count": 2
},
"file,process": {
"fields": {
"event.action": "33.33%",
"event.type": "66.67%",
"file.Ext.entropy": "33.33%",
"file.extension": "100.00%",
"file.name": "33.33%",
"file.path": "100.00%",
"file.size": "33.33%",
"host.id": "66.67%",
"host.os.type": "100.00%",
"process.args": "33.33%",
"process.args_count": "33.33%",
"process.executable": "66.67%",
"process.name": "100.00%",
"user.id": "33.33%"
},
"rule_count": 3
},
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.provider": "100.00%",
"rule.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "20.00%",
"process.name": "100.00%",
"process.parent.args": "20.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "20.00%"
},
"rule_count": 5
}
},
"T1566.002": {
"file": {
"fields": {
"event.type": "100.00%",
"file.Ext.windows.zone_identifier": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.entity_id": "100.00%",
"process.name": "50.00%"
},
"rule_count": 2
},
"file,process": {
"fields": {
"event.action": "33.33%",
"event.type": "66.67%",
"file.Ext.entropy": "33.33%",
"file.extension": "100.00%",
"file.name": "33.33%",
"file.path": "100.00%",
"file.size": "33.33%",
"host.id": "66.67%",
"host.os.type": "100.00%",
"process.args": "33.33%",
"process.args_count": "33.33%",
"process.executable": "66.67%",
"process.name": "100.00%",
"user.id": "33.33%"
},
"rule_count": 3
},
"generic": {
"fields": {
"azure.activitylogs.operation_name": "33.33%",
"azure.auditlogs.operation_name": "33.33%",
"event.action": "66.67%",
"event.dataset": "100.00%",
"event.outcome": "66.67%",
"event.provider": "66.67%",
"o365.audit.Operation": "33.33%",
"rule.name": "33.33%"
},
"rule_count": 3
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.parent.args": "100.00%",
"process.parent.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1567": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1567.001": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1567.002": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1569": {
"network,process": {
"fields": {
"destination.ip": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.executable": "50.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1569.002": {
"network,process": {
"fields": {
"destination.ip": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.executable": "50.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1570": {
"file,network": {
"fields": {
"destination.port": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"host.id": "100.00%",
"host.os.type": "100.00%",
"network.direction": "100.00%",
"network.transport": "100.00%",
"process.entity_id": "100.00%",
"process.pid": "100.00%",
"source.ip": "100.00%"
},
"rule_count": 1
}
},
"T1571": {
"network,process": {
"fields": {
"destination.ip": "100.00%",
"destination.port": "100.00%",
"event.action": "100.00%",
"network.transport": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1572": {
"process": {
"fields": {
"event.category": "33.33%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "66.67%",
"process.name": "33.33%"
},
"rule_count": 3
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1573": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1574": {
"any,process": {
"fields": {
"dll.code_signature.exists": "100.00%",
"dll.code_signature.trusted": "100.00%",
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.code_signature.status": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 2
},
"file": {
"fields": {
"event.action": "20.00%",
"event.category": "20.00%",
"event.type": "60.00%",
"file.name": "20.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "20.00%",
"process.name": "20.00%",
"user.name": "20.00%"
},
"rule_count": 5
},
"file,process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"library": {
"fields": {
"dll.Ext.relative_file_creation_time": "100.00%",
"dll.Ext.relative_file_name_modify_time": "100.00%",
"dll.code_signature.status": "100.00%",
"dll.name": "100.00%",
"dll.path": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "50.00%",
"process.executable": "50.00%",
"process.name": "100.00%",
"process.parent.executable": "50.00%",
"process.pe.original_file_name": "50.00%"
},
"rule_count": 2
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1574.001": {
"any,process": {
"fields": {
"dll.code_signature.exists": "100.00%",
"dll.code_signature.trusted": "100.00%",
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.code_signature.status": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"file": {
"fields": {
"event.action": "100.00%",
"file.name": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
}
},
"T1574.002": {
"any,process": {
"fields": {
"dll.code_signature.exists": "100.00%",
"dll.code_signature.trusted": "100.00%",
"dll.name": "100.00%",
"event.action": "100.00%",
"event.category": "100.00%",
"file.code_signature.status": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"library": {
"fields": {
"dll.Ext.relative_file_creation_time": "100.00%",
"dll.Ext.relative_file_name_modify_time": "100.00%",
"dll.code_signature.status": "100.00%",
"dll.name": "100.00%",
"dll.path": "100.00%",
"host.os.type": "100.00%",
"process.code_signature.trusted": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1574.006": {
"file": {
"fields": {
"event.category": "50.00%",
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.executable": "50.00%",
"user.name": "50.00%"
},
"rule_count": 2
},
"file,process": {
"fields": {
"event.action": "100.00%",
"event.type": "100.00%",
"file.extension": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.entity_id": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1574.007": {
"file": {
"fields": {
"file.path": "100.00%",
"host.os.type": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.parent.executable": "100.00%"
},
"rule_count": 1
},
"registry": {
"fields": {
"host.os.type": "100.00%",
"registry.data.strings": "100.00%",
"registry.path": "100.00%"
},
"rule_count": 1
}
},
"T1574.010": {
"file": {
"fields": {
"event.type": "100.00%",
"file.path": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
},
"T1578": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "50.00%"
},
"rule_count": 2
}
},
"T1578.004": {
"generic": {
"fields": {
"event.action": "100.00%",
"event.dataset": "100.00%",
"event.outcome": "100.00%",
"event.provider": "100.00%"
},
"rule_count": 1
}
},
"T1609": {
"generic": {
"fields": {
"event.dataset": "100.00%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "100.00%",
"kubernetes.audit.objectRef.resource": "100.00%",
"kubernetes.audit.objectRef.subresource": "100.00%",
"kubernetes.audit.verb": "100.00%"
},
"rule_count": 1
}
},
"T1610": {
"generic": {
"fields": {
"event.dataset": "100.00%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "100.00%",
"kubernetes.audit.objectRef.resource": "100.00%",
"kubernetes.audit.requestObject.spec.containers.image": "100.00%",
"kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "16.67%",
"kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "16.67%",
"kubernetes.audit.requestObject.spec.hostIPC": "16.67%",
"kubernetes.audit.requestObject.spec.hostNetwork": "16.67%",
"kubernetes.audit.requestObject.spec.hostPID": "16.67%",
"kubernetes.audit.requestObject.spec.volumes.hostPath.path": "16.67%",
"kubernetes.audit.verb": "100.00%"
},
"rule_count": 6
}
},
"T1611": {
"generic": {
"fields": {
"event.dataset": "100.00%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "100.00%",
"kubernetes.audit.objectRef.resource": "100.00%",
"kubernetes.audit.requestObject.spec.containers.image": "100.00%",
"kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "16.67%",
"kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "16.67%",
"kubernetes.audit.requestObject.spec.hostIPC": "16.67%",
"kubernetes.audit.requestObject.spec.hostNetwork": "16.67%",
"kubernetes.audit.requestObject.spec.hostPID": "16.67%",
"kubernetes.audit.requestObject.spec.volumes.hostPath.path": "16.67%",
"kubernetes.audit.verb": "100.00%"
},
"rule_count": 6
}
},
"T1613": {
"generic": {
"fields": {
"event.dataset": "100.00%",
"kubernetes.audit.annotations.authorization_k8s_io/decision": "100.00%",
"kubernetes.audit.impersonatedUser.username": "50.00%",
"kubernetes.audit.objectRef.resource": "50.00%",
"kubernetes.audit.user.username": "100.00%",
"kubernetes.audit.verb": "50.00%"
},
"rule_count": 2
}
},
"T1614": {
"network": {
"fields": {
"dns.question.name": "100.00%",
"event.action": "100.00%",
"host.os.type": "100.00%",
"network.protocol": "100.00%",
"process.executable": "100.00%",
"process.name": "100.00%",
"user.id": "100.00%"
},
"rule_count": 1
}
},
"T1615": {
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.name": "100.00%",
"process.pe.original_file_name": "100.00%"
},
"rule_count": 1
}
},
"T1647": {
"file": {
"fields": {
"event.category": "100.00%",
"event.type": "100.00%",
"file.name": "100.00%",
"host.os.type": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.command_line": "100.00%",
"process.name": "100.00%"
},
"rule_count": 1
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment