diff --git a/.gitignore b/.gitignore index 982973c..62de27b 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,5 @@ docs/_build/ *.tmp TODO* .DS_Store +.vscode/ +mappings/input/enterprise/csv/*.csv \ No newline at end of file diff --git a/mappings/input/config.json b/mappings/input/config.json new file mode 100644 index 0000000..6d4c28d --- /dev/null +++ b/mappings/input/config.json @@ -0,0 +1,4 @@ +{ + "attack_version": "13.1", + "mappings_version": "1.0" +} \ No newline at end of file diff --git a/mappings/input/enterprise-attack-v13.1-datasources.csv b/mappings/input/enterprise-attack-v13.1-datasources.csv new file mode 100644 index 0000000..756885d --- /dev/null +++ b/mappings/input/enterprise-attack-v13.1-datasources.csv @@ -0,0 +1,38 @@ +name,ID,description,collection layers,platforms,created,modified,type,version,url +Active Directory,DS0026,"A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)(Citation: Microsoft AD DS Getting Started)","Cloud Control Plane, Host","Azure AD, Windows",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0026 +Application Log,DS0015,"Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)","Cloud Control Plane, Host","Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0015 +Certificate,DS0037,"A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications",OSINT,PRE,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0037 +Cloud Service,DS0025,"Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon AWS)(Citation: Azure Products)",Cloud Control Plane,"Azure AD, Google Workspace, IaaS, Office 365, SaaS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0025 +Cloud Storage,DS0010,"Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)",Cloud Control Plane,IaaS,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0010 +Command,DS0017,"A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command Line)(Citation: Audit OSX)","Container, Host","Android, Containers, Linux, Network, Windows, iOS, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0017 +Container,DS0032,A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another(Citation: Docker Docs Container),Container,Containers,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0032 +Domain Name,DS0038,Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org),OSINT,PRE,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0038 +Drive,DS0016,"A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0016 +Driver,DS0027,"A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used(Citation: IOKit Fundamentals)(Citation: Windows Getting Started Drivers)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0027 +File,DS0022,"A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)",Host,"Linux, Network, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0022 +Firewall,DS0018,"A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules(Citation: AWS Sec Groups VPC)","Cloud Control Plane, Host","Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0018 +Firmware,DS0001,"Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0001 +Group,DS0036,A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights(Citation: Amazon IAM Groups),"Cloud Control Plane, Host","Azure AD, Google Workspace, IaaS, Office 365, SaaS, Windows",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0036 +Image,DS0007,A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment(Citation: Microsoft Image)(Citation: Amazon AMI),Cloud Control Plane,IaaS,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0007 +Instance,DS0030,"A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers(Citation: Amazon VM)(Citation: Google VM)",Cloud Control Plane,IaaS,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0030 +Internet Scan,DS0035,Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet,OSINT,PRE,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0035 +Kernel,DS0008,"A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components(Citation: STIG Audit Kernel Modules)(Citation: Init Man Page)",Host,"Linux, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0008 +Logon Session,DS0028,"Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)","Cloud Control Plane, Host, Network","Azure AD, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0028 +Malware Repository,DS0004,"Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries",OSINT,PRE,20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0004 +Module,DS0011,"Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0011 +Named Pipe,DS0023,Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it(Citation: Microsoft Named Pipes),Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0023 +Network Share,DS0033,"A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0033 +Network Traffic,DS0029,"Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)","Cloud Control Plane, Host, Network","Android, IaaS, Linux, Windows, iOS, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0029 +Persona,DS0021,A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims,OSINT,PRE,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0021 +Pod,DS0014,"A single unit of shared resources within a cluster, comprised of one or more containers(Citation: Kube Kubectl)(Citation: Kube Pod)",Container,Containers,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0014 +Process,DS0009,"Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",Host,"Android, Linux, Windows, iOS, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0009 +Scheduled Job,DS0003,"Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)","Container, Host","Containers, Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0003 +Script,DS0012,"A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)",Host,Windows,20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0012 +Sensor Health,DS0013,"Information from host telemetry providing insights about system status, errors, or other notable functional activity",Host,"Android, Linux, Windows, iOS, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0013 +Service,DS0019,"A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)",Host,"Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0019 +Snapshot,DS0020,"A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments(Citation: Microsoft Snapshot)(Citation: Amazon Snapshots)",Cloud Control Plane,IaaS,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0020 +User Account,DS0002,"A profile representing a user, device, service, or application used to authenticate and access resources","Cloud Control Plane, Container, Host","Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.1,https://attack.mitre.org/datasources/DS0002 +Volume,DS0034,"Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives(Citation: Amazon S3)(Citation: Azure Blob Storage)(Citation: Google Cloud Storage)","Cloud Control Plane, Host","IaaS, Linux, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0034 +WMI,DS0005,The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers(Citation: Microsoft WMI System Classes)(Citation: Microsoft WMI Architecture),Host,Windows,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0005 +Web Credential,DS0006,"Credential material, such as session cookies or tokens, used to authenticate to web applications and services(Citation: Medium Authentication Tokens)(Citation: Auth0 Access Tokens)","Cloud Control Plane, Host","Azure AD, Google Workspace, Linux, Office 365, SaaS, Windows, macOS",20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0006 +Windows Registry,DS0024,"A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)",Host,Windows,20 October 2021,,datasource,1.0,https://attack.mitre.org/datasources/DS0024 diff --git a/mappings/input/enterprise/csv/Auditd-sensors-mappings-enterprise.csv b/mappings/input/enterprise/csv/Auditd-sensors-mappings-enterprise.csv new file mode 100644 index 0000000..f453d2d --- /dev/null +++ b/mappings/input/enterprise/csv/Auditd-sensors-mappings-enterprise.csv @@ -0,0 +1,123 @@ +EVENT ID,EVENT DESCRIPTION,ATT&CK DATA SOURCE ID,ATT&CK DATA SOURCE,ATT&CK DATA COMPONENT,SOURCE,RELATIONSHIP,TARGET +USYS_CONFIG,Triggered when a user-space system configuration change is detected,DS0017,Command,Command Execution,Process/User,Modified,Configuration +FS_RELABEL,Triggered when a file system relabel operation is detected,DS0016,Drive,Drive Modification,Process/User,Modified,Drive +ANOM_LINK,Triggered when suspicious use of file links is detected,DS0022,File,File Access,Process/User,Created,File +USER_AVC,Triggered when a user-space AVC message is generated,DS0022,File,File Access,Process/User,Accessed,File +USER_CHAUTHTOK,op record field contains value deleting mail file,DS0022,File,File Deletion,Process/User,Deleted,File +USER_LABELED_EXPORT,Triggered when an object is exported with an SELinux label,DS0022,File,File Metadata,Service,Modified,File +USER_UNLABELED_EXPORT,Triggered when an object is exported without an SELinux label,DS0022,File,File Metadata,Process/User,Modified,File +LABEL_LEVEL_CHANGE,Triggered when an object's level label is modified,DS0022,File,File Modification,Process/User,Modified,File +LABEL_OVERRIDE,Triggered when administrator overrides object's level label,DS0022,File,File Modification,User,Modified,File +NETFILTER_CFG,Triggered when Netfilter chain modifications are detected,DS0018,Firewall,Firewall Rule Modification,Process/User,Modified,Firewall +ADD_GROUP,Triggered when a user-space group is added,DS0036,Group,Group Creation,Process/User,Created,Group +DEL_GROUP,Triggered when a user-space group is deleted,DS0036,Group,Group Deletion,Process/User,Deleted,Group +SYSTEM_RUNLEVEL,Triggered when the system run level is changed,DS0013,Sensor Health,Host Status,Process/User,Modified,Host Status +SYSTEM_SHUTDOWN,Triggered when the system is shut down,DS0013,Sensor Health,Host Status,Process/User,Modified,Host Status +CRYPTO_SESSION,Triggered to record parameters set during a TLS session establishment,DS0028,Logon Session,Logon Session Creation,Service,Created,Logon +USER_LOGIN,Triggered when a user logs in,DS0028,Logon Session,Logon Session Creation,Service,Created,Logon +USER_START,Triggered when a user-space session is started,DS0028,Logon Session,Logon Session Creation,Service,Created,Logon Session +CRYPTO_KEY_USER,Triggered to record crypto key identifier used for crypto purposes,DS0028,Logon Session,Logon Session Metadata,Service,Accessed,Logon Session +LOGIN,Triggered to record relevant login information when user logs into system,DS0028,Logon Session,Logon Session Metadata,Service,Modified,Logon Session +USER_END,Triggered when a user-space session is terminated,DS0028,Logon Session,Logon Session Metadata,Service,Terminated,Logon Session +USER_LOGOUT,Triggered when a user logs out,DS0028,Logon Session,Logon Session Metadata,Service,Terminated,Logon +MAC_UNLBL_ALLOW,Triggered when unlabeled traffic is allowed when using packet labeling,DS0029,Network Traffic,Network Traffic Content,Process/User,Accessed,Network +TTY,Triggered when TTY input was sent to an administrative process,DS0009,Process,Process Access,Process/User,Accessed,Process +USER_CMD,Triggered when a user-space shell command is executed,DS0009,Process,Process Creation,User,Created,Process +ANOM_ABEND,"Triggered when a processes ends abnormally (with core dump, if enabled)",DS0009,Process,Process Termination,Process/User,Deleted,Process +AVC,Triggered to record an SELinux permission check,DS0019,Service,Service Access,Service,Modified,Service +DAEMON_START,Triggered when the auditd daemon is started,DS0019,Service,Service Creation,Process/User,Created,Service +MAC_POLICY_LOAD,Triggered when a SELinux Policy file is loaded,DS0019,Service,Service Creation,Service,Created,Service +DAEMON_ABORT,Triggered when a daemon is stopped due to an error,DS0019,Service,Service Metadata,Process/User,Terminated,Service +DAEMON_END,Triggered when a daemon is successfully stopped,DS0019,Service,Service Metadata,Process/User,Terminated,Service +DAEMON_RESUME,Triggered when the auditd daemon resumes logging,DS0019,Service,Service Metadata,Service,Resumed,Service +DAEMON_ROTATE,Triggered when the auditd daemon rotates the Audit log files,DS0019,Service,Service Metadata,Service,Modified,Service +SELINUX_ERR,Triggered when an internal SELinux error is detected,DS0019,Service,Service Metadata,Process/User,Accessed,Service +USER_TTY,Triggered when an explanatory msg about TTY input to admin proc is sent,DS0019,Service,Service Metadata,Service,Accessed,Service +ANOM_PROMISCUOUS,Triggered when a device enables or disables promiscuous mode,DS0019,Service,Service Modification,Process/User,Modified,Service +CONFIG_CHANGE,audit_enabled record field contains 1 or 2,DS0019,Service,Service Modification,Process/User,Modified,Service +CONFIG_CHANGE,audit_enabled record field contains 0,DS0019,Service,Service Modification,Process/User,Modified,Service +CONFIG_CHANGE,op record field contains add rule,DS0019,Service,Service Modification,Process/User,Modified,Service +CONFIG_CHANGE,op record field contains remove rule,DS0019,Service,Service Modification,Process/User,Modified,Service +CONFIG_CHANGE,audit_failure record field contains value 0,DS0019,Service,Service Modification,Service,Modified,Service +CONFIG_CHANGE,audit_failure record field contains value 1,DS0019,Service,Service Modification,Service,Modified,Service +CONFIG_CHANGE,audit_failure record field contains value 2,DS0019,Service,Service Modification,Service,Modified,Service +CONFIG_CHANGE,any other CONFIG_CHANGE cases not specified above,DS0019,Service,Service Modification,Process/User,Modified,Service +DAEMON_CONFIG,Triggered when a daemon configuration change is detected,DS0019,Service,Service Modification,Process/User,Modified,Service +MAC_CIPSOV4_ADD,Triggered when Commercial Internet Protocol Security Option user adds a new Domain of Interpretation (DOI) via NetLabel,DS0019,Service,Service Modification,User,Modified,Service +MAC_CIPSOV4_DEL,Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.,DS0019,Service,Service Modification,User,Modified,Service +MAC_CONFIG_CHANGE,Triggered when an SELinux Boolean value is changed,DS0019,Service,Service Modification,Process/User,Modified,Service +MAC_MAP_ADD,Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.,DS0019,Service,Service Modification,User,Modified,Service +MAC_MAP_DEL,Triggered when existing LSM domain mapping is deleted,DS0019,Service,Service Modification,User,Modified,Service +MAC_STATUS,"Triggered when the SELinux mode is changed (enforcing, permissive, etc)",DS0019,Service,Service Modification,Process/User,Modified,Service +ROLE_ASSIGN,Triggered when an administrator user assigns user to SELinux role,DS0019,Service,Service Modification,Process/User,Modified,Service +ROLE_REMOVE,Triggered when an administrator removes a user from an SELinux role,DS0019,Service,Service Modification,Process/User,Modified,Service +CRED_REFR,Triggered when a user refreshes their user-space credentials,DS0002,User Account,User Account Access,Process/User,Accessed,User Account +USER_CHAUTHTOK,op record field contains value moving home directory,DS0002,User Account,User Account Access,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value user lookup,DS0002,User Account,User Account Access,Process/User,Accessed,User Account +ANOM_LOGIN_FAILURES,Triggered when the limit of failed login attempts is reached,DS0002,User Account,User Account Authentication,Service,Accessed,User Account +ANOM_LOGIN_LOCATION,Triggered when a login atempt is made from forbidden location,DS0002,User Account,User Account Authentication,Service,Closed,User Account +ANOM_LOGIN_SESSIONS,Triggered when a login attempt reaches max amount of sessions,DS0002,User Account,User Account Authentication,Service,Closed,User Account +ANOM_LOGIN_TIME,Triggered when a login attempt is made at a time when prevented,DS0002,User Account,User Account Authentication,Service,Closed,User Account +RESP_ACCT_LOCK,Triggered when a user account is locked,DS0002,User Account,User Account Authentication,Process/User,Locked,User Account +RESP_ACCT_UNLOCK_TIMED,Triggered when user account is unlocked after configured time,DS0002,User Account,User Account Authentication,Service,Unlocked,User Account +USER_ACCT,Triggered when a user-space user authorization attempt is detected,DS0002,User Account,User Account Authentication,Service,Authorized,User Account +USER_AUTH,Triggered when a user-space user authentication attempt is detected,DS0002,User Account,User Account Authentication,Service,Authenticates,User Account +ADD_USER,Triggered when a user-space user account is created,DS0002,User Account,User Account Creation,Process/User,Created,User Account +ANOM_ADD_ACCOUNT,Triggered when a user-space account addition ends abnormally,DS0002,User Account,User Account Creation,Process/User,Created,User Account +USER_ROLE_CHANGE,op record field contains add SELinux user record,DS0002,User Account,User Account Creation,Process/Suer,Created,User Account +ANOM_DEL_ACCOUNT,Triggered when a user-space account deletion ends abnormally,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account +DEL_USER,Triggered when a user-space user is deleted,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account +USER_CHAUTHTOK,op record field contains value deleting user entries,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account +USER_CHAUTHTOK,op record field contains value deleting user not found,DS0002,User Account,User Account Deletion,Process/User,Errored,User Account +USER_CHAUTHTOK,op record field contains value deleting user,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account +USER_CHAUTHTOK,op record field contains value deleting user logged in,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account +USER_CHAUTHTOK,op record field contains value deleting home directory,DS0002,User Account,User Account Deletion,Process/User,Modified,User Account +USER_ROLE_CHANGE,op record field contains delete SELinux user record,DS0002,User Account,User Account Deletion,Process/User,Deleted,User Account +CRED_ACQ,Triggered when a user acquires user-space credentials,DS0002,User Account,User Account Metadata,Service,Accessed,User Account +CRED_DISP,Triggered when a user disposes of user-space credentials,DS0002,User Account,User Account Metadata,Service,Deleted,User Account +USER_CHAUTHTOK,op record field contains value unlock password,DS0002,User Account,User Account Metadata,Process/User,Unlocked,User Account +USER_ERR,Triggered when a user account state error is detected,DS0002,User Account,User Account Metadata,Process/User,Accessed,User Account +USER_CHAUTHTOK,op record field contains value change password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change expired password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change age,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change max age,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change min age,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change passwd warning,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change inactive days,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change passwd expiration,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change last change date,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value change all aging information,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value password attribute change,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value password aging data updated,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value display aging info,DS0002,User Account,User Account Modification,Process/User,Accessed,User Account +USER_CHAUTHTOK,op record field contains value password status display,DS0002,User Account,User Account Modification,Process/User,Accessed,User Account +USER_CHAUTHTOK,op record field contains value password status displayed for user,DS0002,User Account,User Account Modification,Process/User,Accessed,User Account +USER_CHAUTHTOK,op record field contains value adding to group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value adding group member,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value adding user to group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value adding user to shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing primary group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing group member,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing admin name in shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing member in shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value deleting group password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value deleting member,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value deleting user from group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value deleting user from shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value removing group member,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value removing user from shadow group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value adding group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value deleting group,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value adding user,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value adding home directory,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value lock password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value delete password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value updating password,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing name,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing uid,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing home directory,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing mail file name,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,op record field contains value changing mail file owner,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_CHAUTHTOK,Triggered when a user account password or PIN is modified,DS0002,User Account,User Account Modification,Process/User,Modified,User Account +USER_ROLE_CHANGE,any other USER_ROLE_CHANGE cases not specified above,DS0002,User Account,User Account Modification,Process/User,Modified,User Account diff --git a/mappings/input/enterprise/csv/Sysmon-sensors-mappings-enterprise.csv b/mappings/input/enterprise/csv/Sysmon-sensors-mappings-enterprise.csv new file mode 100644 index 0000000..2766e07 --- /dev/null +++ b/mappings/input/enterprise/csv/Sysmon-sensors-mappings-enterprise.csv @@ -0,0 +1,29 @@ +EVENT ID,EVENT DESCRIPTION,ATT&CK DATA SOURCE ID,ATT&CK DATA SOURCE,ATT&CK DATA COMPONENT,SOURCE,RELATIONSHIP,TARGET +,Driver loaded,DS0027,Driver,Driver Load,Driver,Loaded, +,The RawAccessRead event detects when a process conducts reading operations from the drive using the \.\ denotation,DS0022,File,File Access,Process,Accessed,File +,FileCreate,DS0022,File,File Creation,Process/User,Created,File +,FileCreateStreamHash,DS0022,File,File Creation,File,Created,File Stream Hash +,FileDelete,DS0022,File,File Deletion,Process/User,Deleted,File +,File Delete logged.,DS0022,File,File Deletion,Process/User,Deleted,File +,A process changed a file creation time,DS0022,File,File Modification,Process/User/File,Modified,File +,Image Loaded,DS0011,Module,Module Load,Process/User,Loaded,Module +,PipeEvent (Pipe Connected),DS0023,Named Pipe,Named Pipe Connection,Process,Created,Named Pipe +,PipeEvent (Pipe Created),DS0023,Named Pipe,Named Pipe Metadata,Process/User,Created,Pipe +,PipeEvent (Pipe Created),DS0023,Named Pipe,Named Pipe Metadata,Process/User,Connected To,Pipe +,PipeEvent (Pipe Connected),DS0023,Named Pipe,Named Pipe Metadata,Process/User,Connected To,Pipe +,Network connection,DS0029,Network Traffic,Network Connection Creation,Process/User,Connected To/From,Ip/Port/Device +,ProcessAccess,DS0009,Process,Process Access,Process,Accessed,Process +,A new process has been created,DS0009,Process,Process Creation,Process/User,Created,Process +,A new process has been created,DS0009,Process,Process Creation,Process/User,Executed,Process +,EventID(30),DS0009,Process,Process Metadata,Process,Searched,Ldap +,The CreateRemoteThread event detects when a process creates a thread in another process.,DS0009,Process,Process Modification,Process,Modified,Process +,Process terminated,DS0009,Process,Process Termination,Process/User,Terminated,Process +,Sysmon service state changed.,DS0019,Service,Service Metadata,Service,Stopped/Started,Service +,RegistryEvent (Object create and delete),DS0024,Windows Registry,Windows Registry Key Creation,Process/User,Created,Registry +,RegistryEvent (Object create and delete),DS0024,Windows Registry,Windows Registry Key Deletion,Process/User,Deleted,Registry +,RegistryEvent (Value Set),DS0024,Windows Registry,Windows Registry Key Modification,Process/User,Modified,Registry +,RegistryEvent (Key and Value Rename),DS0024,Windows Registry,Windows Registry Key Modification,Process/User,Modified,Registry +,WmiEvent (WmiEventFilter activity detected).,DS0005,WMI,WMI Creation,User,Created,WMI Object +,WmiEvent (WmiEventConsumer activity detected).,DS0005,WMI,WMI Creation,User,Created,WMI Object +,WmiEvent (WmiEventFilter activity detected).,DS0005,WMI,WMI Deletion,User,Deleted,WMI Object +,WmiEvent (WmiEventConsumer activity detected).,DS0005,WMI,WMI Deletion,User,Deleted,WMI Object diff --git a/mappings/input/enterprise/csv/WinEvtx-sensors-mappings-enterprise.csv b/mappings/input/enterprise/csv/WinEvtx-sensors-mappings-enterprise.csv new file mode 100644 index 0000000..95cd041 --- /dev/null +++ b/mappings/input/enterprise/csv/WinEvtx-sensors-mappings-enterprise.csv @@ -0,0 +1,149 @@ +EVENT ID,EVENT DESCRIPTION,ATT&CK DATA SOURCE ID,ATT&CK DATA SOURCE,ATT&CK DATA COMPONENT,SOURCE,RELATIONSHIP,TARGET +,A Kerberos authentication ticket (TGT) was requested.,DS0026,Active Directory,Active Directory Credential Request,User,Requested,Ad Credential +,A Kerberos service ticket was requested.,DS0026,Active Directory,Active Directory Credential Request,User,Requested,Ad Credential +,Kerberos pre-authentication failed,DS0026,Active Directory,Active Directory Credential Request,User,Requested,Ad Credential +,A handle to an object was requested.,DS0026,Active Directory,Active Directory Object Access,User,Requested Access To,Ad Object +,An operation was performed on an object.,DS0026,Active Directory,Active Directory Object Access,User,Accessed,Ad Object +,A Kerberos service ticket request failed,DS0026,Active Directory,Active Directory Object Access,User,Requested,Service Ticket +,Synchronization of a replica of an Active Directory naming context has begun.,DS0026,Active Directory,Active Directory Object Access,User,Accessed,Ad Object +,A directory service object was created.,DS0026,Active Directory,Active Directory Object Creation,User,Created,Ad Object +,A directory service object was undeleted,DS0026,Active Directory,Active Directory Object Creation,User,Restored,Ad Object +,A directory service object was deleted.,DS0026,Active Directory,Active Directory Object Deletion,User,Deleted,Ad Object +,System audit policy was changed.,DS0026,Active Directory,Active Directory Object Modification,User,Modified,Ad Object +,A security-enabled global group was changed.,DS0026,Active Directory,Active Directory Object Modification,User,Modified,Group +,A Kerberos service ticket was renewed,DS0026,Active Directory,Active Directory Object Modification,User,Modified,Ad Credential +,A directory service object was modified.,DS0026,Active Directory,Active Directory Object Modification,User,Modified,Ad Object +,A directory service object was moved.,DS0026,Active Directory,Active Directory Object Modification,User,Created,Ad Object +,Module logging.,DS0017,Command,Command Execution,User,Executed,Command +,A new external device was recognized by the system.,DS0016,Drive,Drive Creation,User,Installed,Drive +,The installation of this device is forbidden by system policy.,DS0016,Drive,Drive Creation,User,Attempted To Install,Drive +,"The installation of this device was allowed, after having previously been forbidden by policy.",DS0016,Drive,Drive Creation,User,Installed,Drive +,A request was made to disable a device.,DS0016,Drive,Drive Modification,User,Attempted To Disable,Drive +,A device was disabled.,DS0016,Drive,Drive Modification,User,Disabled,Drive +,A request was made to enable a device.,DS0016,Drive,Drive Modification,User,Attempted To Enable,Drive +,A device was enabled.,DS0016,Drive,Drive Modification,User,Enabled,Drive +,A handle to an object was requested.,DS0022,File,File Access,Process/User,Requested Access To,File +,A handle to an object was requested.,DS0022,File,File Access,User,Requested Access To,File +,An attempt was made to access an object,DS0022,File,File Access,Process/User,Accessed,File +,An attempt was made to duplicate a handle to an object.,DS0022,File,File Access,File,Accessed,File Handle +,An attempt was made to access an object.,DS0022,File,File Creation,Process/User,Created,File +,An object was deleted.,DS0022,File,File Deletion,Process/User,Deleted,Registry +,An attempt was made to access an object.,DS0022,File,File Deletion,Process/User,Deleted,File +,An attempt was made to create a hard link.,DS0022,File,File Metadata,File,Modified,File +,Permissions on an object were changed.,DS0022,File,File Modification,Process/User,Modified,File +,The Windows Firewall Service has been stopped.,DS0018,Firewall,Firewall Disable,Process/User,Disabled,Firewall +,The Windows Firewall Driver was stopped.,DS0018,Firewall,Firewall Disable,Process/User,Disabled,Firewall +,The Windows Firewall Service has started successfully.,DS0018,Firewall,Firewall Enabled,Process/User,Enabled,Firewall +,A Windows Defender Firewall setting has changed.,DS0018,Firewall,Firewall Metadata,Process/User,Modified,Firewall +,A Windows Defender Firewall setting in the Private profile has changed.,DS0018,Firewall,Firewall Metadata,Process/User,Modified,Firewall +,The Windows Firewall service failed to load Group Policy.,DS0018,Firewall,Firewall Metadata,Firewall,Attempted To Load,Configuration +,A windows firewall setting has changed,DS0018,Firewall,Firewall Metadata,Process/User,Modified,Firewall Setting +,Windows firewall group policy settings has changed,DS0018,Firewall,Firewall Metadata,Process/User,Modified,Firewall Group Policy +,A rule has been added to the Windows Defender Firewall exception list,DS0018,Firewall,Firewall Rule Modification,Process/User,Add,Firewall Rule +,A rule has been modified in the Windows Defender Firewall exception list.,DS0018,Firewall,Firewall Rule Modification,Process/User,Modified,Firewall Rule +,A rule has been deleted in the Windows Defender Firewall exception list,DS0018,Firewall,Firewall Rule Modification,Process/User,Removed,Firewall Rule +,All rules have been deleted from the Windows Firewall configuration on this computer.,DS0018,Firewall,Firewall Rule Modification,User,Removed,Firewall Rule +,A change has been made to Windows Firewall exception list. A rule was added.,DS0018,Firewall,Firewall Rule Modification,Process/User,Added,Firewall Rule +,A change has been made to Windows Firewall exception list. A rule was modified.,DS0018,Firewall,Firewall Rule Modification,Process/User,Modified,Firewall Rule +,A change has been made to Windows Firewall exception list. A rule was deleted.,DS0018,Firewall,Firewall Rule Modification,Process/User,Removed,Firewall Rule +,A security-enabled global group was created.,DS0036,Group,Group Creation,User,Created,Group +,A security-enabled local group was created.,DS0036,Group,Group Creation,User,Created,Group +,A security-enabled universal group was created.,DS0036,Group,Group Creation,User,Created,Group +,A security-enabled global group was deleted.,DS0036,Group,Group Deletion,User,Deleted,Group +,A security-enabled local group was deleted.,DS0036,Group,Group Deletion,User,Deleted,Group +,A security-enabled universal group was deleted.,DS0036,Group,Group Deletion,User,Deleted,Group +,A user's local group membership was enumerated.,DS0036,Group,Group Enumeration,User,Enumerated,Group +,A security-enabled local group membership was enumerated.,DS0036,Group,Group Enumeration,Group,Enumerated,Group +,A member was removed from a security-enabled global group.,DS0036,Group,Group Modification,User,Modified,Group +,A member was added to a security-enabled local group.,DS0036,Group,Group Modification,User,Modified,Group +,A member was removed from a security-enabled local group.,DS0036,Group,Group Modification,User,Modified,Group +,A security-enabled local group was changed.,DS0036,Group,Group Modification,User,Modified,Group +,A security-enabled universal group was changed.,DS0036,Group,Group Modification,User,Modified,Group +,A member was added to a security-enabled universal group.,DS0036,Group,Group Modification,User,Modified,Group +,A member was removed from a security-enabled universal group.,DS0036,Group,Group Modification,User,Modified,Group +,A groups type was changed.,DS0036,Group,Group Modification,User,Modified,Group +,The event logging service has shut down.,DS0013,Sensor Health,Host Status,Sensor Health,Changed, +,Audit events have been dropped by the transport.,DS0013,Sensor Health,Host Status,Sensor Health,Changed, +,The audit log was cleared.,DS0013,Sensor Health,Host Status,Sensor Health,Changed, +,The security Log is now full.,DS0013,Sensor Health,Host Status,Sensor Health,Changed, +,The system time was changed.,DS0013,Sensor Health,Host Status,Sensor Health,Changed, +,The Event log service was started.,DS0013,Sensor Health,Host Status,Sensor Health,Changed, +,The Event log service was stopped.,DS0013,Sensor Health,Host Status,Sensor Health,Changed, +,An account was successfully logged on,DS0028,Logon Session,Logon Session Creation,User,Created Logon From,Ip/Port/Logon Session +,A session was reconnected to a Window Station.,DS0028,Logon Session,Logon Session Creation,User,Created Logon From,Ip +,Special groups have been assigned to a new logon.,DS0028,Logon Session,Logon Session Creation,User,Created,Logon Session +,An authentication package has been loaded by the Local Security Authority.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata, +,A trusted logon process has been registered with the Local Security Authority.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata, +,A notification package has been loaded by the Security Account Manager.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata, +,A security package has been loaded by the Local Security Authority.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata, +,An account was logged off,DS0028,Logon Session,Logon Session Metadata,User,Terminated,Logon Session +,User initiated logoff.,DS0028,Logon Session,Logon Session Metadata,User,Terminated,Logon Session +,A privileged service was called.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata, +,An operation was attempted on a privileged object.,DS0028,Logon Session,Logon Session Metadata,Logon,Metadata, +,Special privileges assigned to new logon.,DS0028,Logon Session,Logon Session Modification,Logon,Modified, +,A session was disconnected from a Window Station,DS0028,Logon Session,Logon Session Terminated,User,Disconnected Fom,Host +,A handle to an object was requested.,DS0023,Named Pipe,Named Pipe Metadata,Process,Created,Pipe +,A network share object was checked to see whether client can be granted desired access.,DS0023,Named Pipe,Named Pipe Metadata,User,Created,Pipe +,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,DS0029,Network Traffic,Network Connection Creation,Device,Blocked Connection To,Process +,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,DS0029,Network Traffic,Network Connection Creation,Device,Permitted Listener On,Ip/Port/Process +,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,DS0029,Network Traffic,Network Connection Creation,Process,Listened On,Port +,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,DS0029,Network Traffic,Network Connection Creation,Device,Blocked Listener To,Ip/Port/Process +,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,DS0029,Network Traffic,Network Connection Creation,Process,Attempted To Listen On,Port +,The Windows Filtering Platform has permitted a connection.,DS0029,Network Traffic,Network Connection Creation,Process,Connected To,Ip/Port +,The Windows Filtering Platform has blocked a connection.,DS0029,Network Traffic,Network Connection Creation,Process,Attempted Connection To/From,Ip/Port +,The Windows Filtering Platform has blocked a connection.,DS0029,Network Traffic,Network Connection Creation,Device,Blocked Connection To,Process/Port +,The Windows Filtering Platform has permitted a bind to a local port.,DS0029,Network Traffic,Network Connection Creation,Process,Bound To,Port +,The Windows Filtering Platform has blocked a bind to a local port.,DS0029,Network Traffic,Network Connection Creation,Device,Blocked Port Bind On,Ip/Port/Process +,The Windows Filtering Platform has blocked a bind to a local port.,DS0029,Network Traffic,Network Connection Creation,Process,Attempted To Bind On,Port +,A network share object was accessed.,DS0033,Network Share,Network Share Access,User,Attempted To Access,Network Share +,A network share object was checked to see whether client can be granted desired access.,DS0033,Network Share,Network Share Access,User,Attempted To Access,Network Share +,A network share object was added.,DS0033,Network Share,Network Share Creation,User,Created,Network Share +,A network share object was deleted.,DS0033,Network Share,Network Share Deletion,User,Deleted,Network Share +,A network share object was modified.,DS0033,Network Share,Network Share Modification,User,Modified,Network Share +,A handle to an object was requested,DS0009,Process,Process Access,Process,Requested Access To,Process +,An attempt was made to access an object,DS0009,Process,Process Access,Process/User,Accessed,Process +,Program execution. When you start a program you are creating a process that stays open until the program ends,DS0009,Process,Process Creation,Process/User,Created,Process +,A primary token was assigned to process. The assigning process fields identifies the process that started the child (new) process,DS0009,Process,Process Creation,Process/User,Created,Process +,A process has exited.,DS0009,Process,Process Termination,User,Terminated,Process +,A scheduled task was created.,DS0003,Scheduled Job,Scheduled Job Creation,User,Created,Scheduled Job +,A scheduled task was deleted.,DS0003,Scheduled Job,Scheduled Job Deletion,User,Deleted,Scheduled Job +,A scheduled task was enabled.,DS0003,Scheduled Job,Scheduled Job Modification,User,Enabled,Scheduled Job +,A scheduled task was disabled.,DS0003,Scheduled Job,Scheduled Job Modification,User,Disabled,Scheduled Job +,A scheduled task was updated.,DS0003,Scheduled Job,Scheduled Job Modification,User,Modified,Scheduled Job +,Module logging.,DS0012,Script,Script Execution,Process,Executed,Script +,Script Block Logging.,DS0012,Script,Script Execution,Process,Executed,Script +,A handle to an object was requested.,DS0019,Service,Service Access,User,Requested Access To,Service +,A service was installed in the system.,DS0019,Service,Service Creation,User,Created,Service +,The Event log service was started.,DS0019,Service,Service Metadata,Service,Started, +,The Event log service was stopped.,DS0019,Service,Service Metadata,Service,Stopped, +,A logon was attempted using explicit credentials.,DS0002,User Account,User Account Authentication,User,Attempted To Authenticate From,Ip/Port +,The computer attempted to validate the credentials for an account,DS0002,User Account,User Account Authentication,User,Authenticated From,Device +,An account failed to log on,DS0002,User Account,User Account Authentication,User,Attempted To Authenticate From,Ip/Port +,A user account was created,DS0002,User Account,User Account Creation,User,Created,User Account +,A computer account was created.,DS0002,User Account,User Account Creation,User,Created,User Account +,A user account was deleted,DS0002,User Account,User Account Deletion,User,Deleted,User Account +,A computer account was deleted.,DS0002,User Account,User Account Deletion,User,Deleted,User Account +,An operation was attempted on a privileged object,DS0002,User Account,User Account Metadata,Process/User,Accessed,User Privileges +,A user right was adjusted.,DS0002,User Account,User Account Modification,Logon,Metadata, +,System security access was granted to an account.,DS0002,User Account,User Account Modification,User,Granted Access To,User Account +,System security access was removed from an account.,DS0002,User Account,User Account Modification,User,Removed Access To,User Account +,A user account was enabled.,DS0002,User Account,User Account Modification,User,Enabled,User Account +,An attempt was made to change an account's password.,DS0002,User Account,User Account Modification,User,Attempted To Modify,User Account +,An attempt was made to reset an account's password,DS0002,User Account,User Account Modification,User,Attempted To Modify,User Account +,A user account was disabled.,DS0002,User Account,User Account Modification,User,Disabled,User Account +,A user account was changed.,DS0002,User Account,User Account Modification,User,Modified,User Account +,A user account was locked out.,DS0002,User Account,User Account Modification,User,Locked,User Account +,A computer account was changed.,DS0002,User Account,User Account Modification,User,Modified,User Account +,A user account was unlocked.,DS0002,User Account,User Account Modification,User,Unlocked,User Account +,The name of an account was changed.,DS0002,User Account,User Account Modification,User,Modified,User Account +,An attempt was made to access an object,DS0024,Windows Registry,Windows Registry Key Access,Process/User,Accessed,Registry +,A registry value was modified.,DS0024,Windows Registry,Windows Registry Key Creation,Process/User,Created,Registry +,A registry value was modified.,DS0024,Windows Registry,Windows Registry Key Deletion,Process/User,Deleted,Registry +,An object was deleted.,DS0024,Windows Registry,Windows Registry Key Deletion,Process/User,Deleted,Registry +,A registry value was modified.,DS0024,Windows Registry,Windows Registry Key Modification,Process/User,Modified,Registry +,Permissions on an object were changed.,DS0024,Windows Registry,Windows Registry Key Modification,Process/User,Modified,File +,WMIProv provider started.,DS0005,WMI,WMI Creation,User,Created,WMI Object +,WMI Query Error.,DS0005,WMI,WMI Creation,User,Created,WMI Object +,WMI Event.,DS0005,WMI,WMI Creation,User,Created,WMI Object +,WMI temporary event created.,DS0005,WMI,WMI Creation,User,Created,WMI Object +,WMI permanent event created.,DS0005,WMI,WMI Creation,User,Created,WMI Object diff --git a/mappings/input/enterprise/xlsx/Sensor ID to Data Source to API v2.xlsx b/mappings/input/enterprise/xlsx/Sensor ID to Data Source to API v2.xlsx new file mode 100644 index 0000000..1c9f981 Binary files /dev/null and b/mappings/input/enterprise/xlsx/Sensor ID to Data Source to API v2.xlsx differ diff --git a/mappings/input/enterprise/xlsx/enterprise-attack-v13.1-datasources.xlsx b/mappings/input/enterprise/xlsx/enterprise-attack-v13.1-datasources.xlsx new file mode 100644 index 0000000..d80fbb7 Binary files /dev/null and b/mappings/input/enterprise/xlsx/enterprise-attack-v13.1-datasources.xlsx differ diff --git a/mappings/stix/enterprise/Auditd-mappings-enterprise.json b/mappings/stix/enterprise/Auditd-mappings-enterprise.json new file mode 100644 index 0000000..0790a3c --- /dev/null +++ b/mappings/stix/enterprise/Auditd-mappings-enterprise.json @@ -0,0 +1,3820 @@ +{ + "id": "bundle--22dbc13b-c0fb-45ad-ae9f-96e5ee3d86f5", + "objects": [ + { + "created": "2023-10-27T20:54:33.646871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--206469c7-f0a2-4e86-a373-a455b845e1e5", + "modified": "2023-10-27T20:54:33.646871Z", + "name": "Command Execution", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.646871Z", + "data_component": "Command Execution", + "data_source": "Command", + "description": "Triggered when a user-space system configuration change is detected", + "event_id": "USYS_CONFIG", + "id": "x-mitre-sensor-mapping--603eb85b-68db-4990-9f95-9f68df782ee3", + "modified": "2023-10-27T20:54:33.646871Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Configuration", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0017" + }, + { + "created": "2023-10-27T20:54:33.647867Z", + "id": "relationship--613e89e1-f329-4fff-a4cb-28008cdc7abb", + "modified": "2023-10-27T20:54:33.647867Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--206469c7-f0a2-4e86-a373-a455b845e1e5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.647867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "modified": "2023-10-27T20:54:33.647867Z", + "name": "Drive Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "Triggered when a file system relabel operation is detected", + "event_id": "FS_RELABEL", + "id": "x-mitre-sensor-mapping--5dddf95a-bbc5-4082-ba8f-ab090516caf3", + "modified": "2023-10-27T20:54:33.648869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "id": "relationship--22c6533d-bfb4-4690-a907-025253a95415", + "modified": "2023-10-27T20:54:33.648869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "modified": "2023-10-27T20:54:33.648869Z", + "name": "File Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.649873Z", + "data_component": "File Access", + "data_source": "File", + "description": "Triggered when suspicious use of file links is detected", + "event_id": "ANOM_LINK", + "id": "x-mitre-sensor-mapping--9e1b5d39-44c4-4742-81c0-a35aefa65fcd", + "modified": "2023-10-27T20:54:33.649873Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.649873Z", + "id": "relationship--04d86f99-222f-483e-8d88-977912823b1d", + "modified": "2023-10-27T20:54:33.649873Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65087Z", + "data_component": "File Access", + "data_source": "File", + "description": "Triggered when a user-space AVC message is generated", + "event_id": "USER_AVC", + "id": "x-mitre-sensor-mapping--a2f36ce1-e4fd-43c5-9417-9dec3d9f12ea", + "modified": "2023-10-27T20:54:33.65087Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.65087Z", + "id": "relationship--96b94d6e-6191-4583-a93c-b038bf597459", + "modified": "2023-10-27T20:54:33.65087Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "modified": "2023-10-27T20:54:33.65187Z", + "name": "File Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "op record field contains value deleting mail file", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--9330ef3c-c690-4a5b-8323-b46a7cdaf839", + "modified": "2023-10-27T20:54:33.65187Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "id": "relationship--c6df6dd4-76fc-4505-becd-1f01da9971bf", + "modified": "2023-10-27T20:54:33.65187Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "modified": "2023-10-27T20:54:33.65287Z", + "name": "File Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.65287Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Triggered when an object is exported with an SELinux label", + "event_id": "USER_LABELED_EXPORT", + "id": "x-mitre-sensor-mapping--e2719b8c-a421-4863-8719-756621205438", + "modified": "2023-10-27T20:54:33.65287Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.65387Z", + "id": "relationship--bfb4be25-db76-4020-a12d-3fc53542f029", + "modified": "2023-10-27T20:54:33.65387Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65387Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Triggered when an object is exported without an SELinux label", + "event_id": "USER_UNLABELED_EXPORT", + "id": "x-mitre-sensor-mapping--af3a8ec0-9667-4e07-ba73-bf63d35e8b01", + "modified": "2023-10-27T20:54:33.65387Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.654868Z", + "id": "relationship--9f26f3b7-6f0d-4c2e-89ca-509aff01492b", + "modified": "2023-10-27T20:54:33.654868Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.655922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "modified": "2023-10-27T20:54:33.655922Z", + "name": "File Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.656868Z", + "data_component": "File Modification", + "data_source": "File", + "description": "Triggered when an object's level label is modified", + "event_id": "LABEL_LEVEL_CHANGE", + "id": "x-mitre-sensor-mapping--79083c90-03df-4022-8817-edca78e63e8c", + "modified": "2023-10-27T20:54:33.656868Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.656868Z", + "id": "relationship--93e71d50-fe4e-4dc5-be54-9cf3536f5cde", + "modified": "2023-10-27T20:54:33.656868Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65787Z", + "data_component": "File Modification", + "data_source": "File", + "description": "Triggered when administrator overrides object's level label", + "event_id": "LABEL_OVERRIDE", + "id": "x-mitre-sensor-mapping--9914aa55-b37e-450b-b38e-536e747c7dda", + "modified": "2023-10-27T20:54:33.65787Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.658869Z", + "id": "relationship--042bdc8b-878b-4937-80e1-516db1b6f883", + "modified": "2023-10-27T20:54:33.658869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.660871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "modified": "2023-10-27T20:54:33.660871Z", + "name": "Firewall Rule Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.661868Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "Triggered when Netfilter chain modifications are detected", + "event_id": "NETFILTER_CFG", + "id": "x-mitre-sensor-mapping--99573857-176c-4d12-9c07-db462dc7d842", + "modified": "2023-10-27T20:54:33.661868Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:33.662867Z", + "id": "relationship--cc530c1a-227e-4d32-b62a-c21e21bd42eb", + "modified": "2023-10-27T20:54:33.662867Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.662867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "modified": "2023-10-27T20:54:33.662867Z", + "name": "Group Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.66387Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "Triggered when a user-space group is added", + "event_id": "ADD_GROUP", + "id": "x-mitre-sensor-mapping--10f73bf8-fe0b-46b6-a35f-bc90906d92f6", + "modified": "2023-10-27T20:54:33.66387Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.664867Z", + "id": "relationship--5a29e8d6-8ab4-437c-a2e8-1d380bb980c8", + "modified": "2023-10-27T20:54:33.664867Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.664867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "modified": "2023-10-27T20:54:33.664867Z", + "name": "Group Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.665892Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "Triggered when a user-space group is deleted", + "event_id": "DEL_GROUP", + "id": "x-mitre-sensor-mapping--fe41f444-b001-4e41-a669-f5c68b537797", + "modified": "2023-10-27T20:54:33.665892Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.666871Z", + "id": "relationship--23d92a9c-0747-42c2-b880-202bdc14af2b", + "modified": "2023-10-27T20:54:33.666871Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.666871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "modified": "2023-10-27T20:54:33.666871Z", + "name": "Host Status", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.66787Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Triggered when the system run level is changed", + "event_id": "SYSTEM_RUNLEVEL", + "id": "x-mitre-sensor-mapping--f9477f40-0cb6-4287-8788-309ce2f5b8cb", + "modified": "2023-10-27T20:54:33.66787Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:33.66787Z", + "id": "relationship--782e3a77-4312-43cc-a1a0-8c488f8b3cff", + "modified": "2023-10-27T20:54:33.66787Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.668869Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Triggered when the system is shut down", + "event_id": "SYSTEM_SHUTDOWN", + "id": "x-mitre-sensor-mapping--6a77340e-1e6d-4883-80b8-0bb10d35b807", + "modified": "2023-10-27T20:54:33.668869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:33.668869Z", + "id": "relationship--bd03e338-437f-4afb-8c25-6df4750b7184", + "modified": "2023-10-27T20:54:33.668869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.668869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "modified": "2023-10-27T20:54:33.668869Z", + "name": "Logon Session Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.669869Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "Triggered to record parameters set during a TLS session establishment", + "event_id": "CRYPTO_SESSION", + "id": "x-mitre-sensor-mapping--8848b561-521d-451c-9019-53019be51f6c", + "modified": "2023-10-27T20:54:33.669869Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.669869Z", + "id": "relationship--d80a5cbe-27e1-4d89-8932-6eb539940465", + "modified": "2023-10-27T20:54:33.669869Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.670871Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "Triggered when a user logs in", + "event_id": "USER_LOGIN", + "id": "x-mitre-sensor-mapping--35d97710-3b92-44d7-8f6e-84f1915acdfc", + "modified": "2023-10-27T20:54:33.670871Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.670871Z", + "id": "relationship--ef757044-c3bb-492c-aea3-b1c3bd178fd0", + "modified": "2023-10-27T20:54:33.670871Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.67187Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "Triggered when a user-space session is started", + "event_id": "USER_START", + "id": "x-mitre-sensor-mapping--0315ffda-00bd-42eb-9e95-1d6fdd34fff0", + "modified": "2023-10-27T20:54:33.67187Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.672871Z", + "id": "relationship--eb313235-bc02-42ed-ab14-438866661102", + "modified": "2023-10-27T20:54:33.672871Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.672871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "modified": "2023-10-27T20:54:33.672871Z", + "name": "Logon Session Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.673871Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Triggered to record crypto key identifier used for crypto purposes", + "event_id": "CRYPTO_KEY_USER", + "id": "x-mitre-sensor-mapping--d02bd0bf-4493-4a5f-b37d-8d9925c061c4", + "modified": "2023-10-27T20:54:33.673871Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.674871Z", + "id": "relationship--82380120-c2df-409c-b329-72155ddbe61f", + "modified": "2023-10-27T20:54:33.674871Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.67587Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Triggered to record relevant login information when user logs into system", + "event_id": "LOGIN", + "id": "x-mitre-sensor-mapping--acd3a880-1a90-49ff-bbe6-b71bd7820ec6", + "modified": "2023-10-27T20:54:33.67587Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.67587Z", + "id": "relationship--aa3546b1-69b3-4acb-8523-dba51c731b5b", + "modified": "2023-10-27T20:54:33.67587Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.676868Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Triggered when a user-space session is terminated", + "event_id": "USER_END", + "id": "x-mitre-sensor-mapping--a94a1d6c-fb82-4ab7-b109-bae02fd1710d", + "modified": "2023-10-27T20:54:33.676868Z", + "relationship": "Terminated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.677873Z", + "id": "relationship--62fef63f-b97a-4732-b8fc-407b82ff1840", + "modified": "2023-10-27T20:54:33.677873Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.678872Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Triggered when a user logs out", + "event_id": "USER_LOGOUT", + "id": "x-mitre-sensor-mapping--5ceb0d3d-5f43-49bf-8063-da63863471b5", + "modified": "2023-10-27T20:54:33.678872Z", + "relationship": "Terminated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.678872Z", + "id": "relationship--861d54c0-9bf5-4214-a154-66b2a3a39f58", + "modified": "2023-10-27T20:54:33.678872Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.679872Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "modified": "2023-10-27T20:54:33.679872Z", + "name": "Network Traffic Content", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.680875Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Triggered when unlabeled traffic is allowed when using packet labeling", + "event_id": "MAC_UNLBL_ALLOW", + "id": "x-mitre-sensor-mapping--5de0ebcd-c17e-4cc0-90a3-73f21ac50870", + "modified": "2023-10-27T20:54:33.680875Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Network", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:33.681873Z", + "id": "relationship--212bd8e2-21ca-49e8-be53-6cde054ccd44", + "modified": "2023-10-27T20:54:33.681873Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.681873Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "modified": "2023-10-27T20:54:33.681873Z", + "name": "Process Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.682872Z", + "data_component": "Process Access", + "data_source": "Process", + "description": "Triggered when TTY input was sent to an administrative process", + "event_id": "TTY", + "id": "x-mitre-sensor-mapping--18081865-f85e-4c00-a4a3-adaa098a3151", + "modified": "2023-10-27T20:54:33.682872Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:33.68387Z", + "id": "relationship--5bb3a6dc-8f7a-4ab2-bd28-20fbd8b14f77", + "modified": "2023-10-27T20:54:33.68387Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.684869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "modified": "2023-10-27T20:54:33.684869Z", + "name": "Process Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.686035Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "Triggered when a user-space shell command is executed", + "event_id": "USER_CMD", + "id": "x-mitre-sensor-mapping--8ac4056d-1d70-4669-bffd-db00ff247cd3", + "modified": "2023-10-27T20:54:33.686035Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:33.686871Z", + "id": "relationship--e880376a-863c-426c-bb8e-22c7b5e5adea", + "modified": "2023-10-27T20:54:33.686871Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.687867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--52a9b19a-9dcc-4eef-aff3-58d3e4523ceb", + "modified": "2023-10-27T20:54:33.687867Z", + "name": "Process Termination", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.688868Z", + "data_component": "Process Termination", + "data_source": "Process", + "description": "Triggered when a processes ends abnormally (with core dump, if enabled)", + "event_id": "ANOM_ABEND", + "id": "x-mitre-sensor-mapping--743f9189-01a7-43fa-b660-8d8bdfd233f9", + "modified": "2023-10-27T20:54:33.688868Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:33.689873Z", + "id": "relationship--0b534afa-9c3d-41cc-a190-a74eb12679fc", + "modified": "2023-10-27T20:54:33.689873Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--52a9b19a-9dcc-4eef-aff3-58d3e4523ceb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.690869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--97e54b9b-0b7f-4b98-8672-e06e407c0b48", + "modified": "2023-10-27T20:54:33.690869Z", + "name": "Service Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.690869Z", + "data_component": "Service Access", + "data_source": "Service", + "description": "Triggered to record an SELinux permission check", + "event_id": "AVC", + "id": "x-mitre-sensor-mapping--a844e604-a8fa-433c-95cc-fb1ac46b4d77", + "modified": "2023-10-27T20:54:33.690869Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.691869Z", + "id": "relationship--81934ace-c6d1-4640-b594-7d0cf7b3c13e", + "modified": "2023-10-27T20:54:33.691869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--97e54b9b-0b7f-4b98-8672-e06e407c0b48", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.692869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e35fe7ee-5a6d-47c5-9505-7faed979e3d5", + "modified": "2023-10-27T20:54:33.692869Z", + "name": "Service Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.693867Z", + "data_component": "Service Creation", + "data_source": "Service", + "description": "Triggered when the auditd daemon is started", + "event_id": "DAEMON_START", + "id": "x-mitre-sensor-mapping--3966849a-f767-4636-a850-0364844045af", + "modified": "2023-10-27T20:54:33.693867Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.694868Z", + "id": "relationship--f35459d5-c903-4e74-b21f-d0d6029f8097", + "modified": "2023-10-27T20:54:33.694868Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e35fe7ee-5a6d-47c5-9505-7faed979e3d5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.694868Z", + "data_component": "Service Creation", + "data_source": "Service", + "description": "Triggered when a SELinux Policy file is loaded", + "event_id": "MAC_POLICY_LOAD", + "id": "x-mitre-sensor-mapping--583479cd-7470-485c-951f-abc81cc3052e", + "modified": "2023-10-27T20:54:33.694868Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.69607Z", + "id": "relationship--ba4b580f-7cd6-4dd9-ac3d-90aaa2d17988", + "modified": "2023-10-27T20:54:33.69607Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e35fe7ee-5a6d-47c5-9505-7faed979e3d5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.69607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "modified": "2023-10-27T20:54:33.69607Z", + "name": "Service Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.696866Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when a daemon is stopped due to an error", + "event_id": "DAEMON_ABORT", + "id": "x-mitre-sensor-mapping--4c3e97e6-0357-4b8c-a121-1e5a0762244d", + "modified": "2023-10-27T20:54:33.696866Z", + "relationship": "Terminated", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.696866Z", + "id": "relationship--b3408fe0-c873-4cc9-b31c-b1124e960922", + "modified": "2023-10-27T20:54:33.696866Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.697866Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when a daemon is successfully stopped", + "event_id": "DAEMON_END", + "id": "x-mitre-sensor-mapping--e32f509a-efb0-49b1-9670-59c7e0e8a611", + "modified": "2023-10-27T20:54:33.697866Z", + "relationship": "Terminated", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.697866Z", + "id": "relationship--89a65c88-fbd0-4a00-97d8-82e42ad6ece0", + "modified": "2023-10-27T20:54:33.697866Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.698865Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when the auditd daemon resumes logging", + "event_id": "DAEMON_RESUME", + "id": "x-mitre-sensor-mapping--2ee305ab-ccba-433c-8d69-6a9df957855e", + "modified": "2023-10-27T20:54:33.698865Z", + "relationship": "Resumed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.698865Z", + "id": "relationship--b8b1384a-006d-4554-a70c-b13b42e112e6", + "modified": "2023-10-27T20:54:33.698865Z", + "relationship_type": "Resumed", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.698865Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when the auditd daemon rotates the Audit log files", + "event_id": "DAEMON_ROTATE", + "id": "x-mitre-sensor-mapping--5bb5bc58-129c-49e6-8bbb-dfcf5b7c55ac", + "modified": "2023-10-27T20:54:33.698865Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.699866Z", + "id": "relationship--9324b29f-05d1-4d05-b24a-7fef861d6b01", + "modified": "2023-10-27T20:54:33.699866Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.699866Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when an internal SELinux error is detected", + "event_id": "SELINUX_ERR", + "id": "x-mitre-sensor-mapping--b64d637e-4748-4dae-89a7-3073fada0fe5", + "modified": "2023-10-27T20:54:33.699866Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.700866Z", + "id": "relationship--603cbfb4-9d8d-4c08-b540-c521af368bbc", + "modified": "2023-10-27T20:54:33.700866Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.700866Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when an explanatory msg about TTY input to admin proc is sent", + "event_id": "USER_TTY", + "id": "x-mitre-sensor-mapping--3d483a16-c13c-4d5f-9a2d-13e8e028f620", + "modified": "2023-10-27T20:54:33.700866Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.701867Z", + "id": "relationship--a1075c6a-73b7-4307-9b2e-e747a427c8b3", + "modified": "2023-10-27T20:54:33.701867Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.701867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "modified": "2023-10-27T20:54:33.701867Z", + "name": "Service Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.702865Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when a device enables or disables promiscuous mode", + "event_id": "ANOM_PROMISCUOUS", + "id": "x-mitre-sensor-mapping--f875bb44-bc24-41b4-8238-b1e81c9ea355", + "modified": "2023-10-27T20:54:33.702865Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.702865Z", + "id": "relationship--512acc17-5965-4666-9bd0-3635618cc5b8", + "modified": "2023-10-27T20:54:33.702865Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.703865Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_enabled record field contains 1 or 2", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--3fb6ee59-7cef-41fa-b7ba-3d4ade27150f", + "modified": "2023-10-27T20:54:33.703865Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.703865Z", + "id": "relationship--7727903d-7d68-49e0-874c-8cff37f43c38", + "modified": "2023-10-27T20:54:33.703865Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.704865Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_enabled record field contains 0", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--c4049637-1ee1-4bda-9f5d-238ec36272cd", + "modified": "2023-10-27T20:54:33.704865Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.705869Z", + "id": "relationship--6416b2ef-23fe-4317-b1d0-adb20380f336", + "modified": "2023-10-27T20:54:33.705869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.706871Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "op record field contains add rule", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--ee80284e-6852-41dc-b4bd-7e159dea57f3", + "modified": "2023-10-27T20:54:33.706871Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.706871Z", + "id": "relationship--2a27e5da-9130-45a4-baf1-8533634ba149", + "modified": "2023-10-27T20:54:33.706871Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.707871Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "op record field contains remove rule", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--6df20b5c-8fe7-4220-b1dc-17d653a9ffeb", + "modified": "2023-10-27T20:54:33.707871Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.70887Z", + "id": "relationship--36bc5386-d364-4599-a6e6-04d2218e67b9", + "modified": "2023-10-27T20:54:33.70887Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.70887Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_failure record field contains value 0", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--fc99a12c-53ee-452b-8851-c020b6546529", + "modified": "2023-10-27T20:54:33.70887Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.709867Z", + "id": "relationship--58343cde-2069-48f9-a866-8754dd733a1a", + "modified": "2023-10-27T20:54:33.709867Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.709867Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_failure record field contains value 1", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--e2df85de-119a-4a0a-8842-015ffb3ee586", + "modified": "2023-10-27T20:54:33.709867Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.71087Z", + "id": "relationship--5a3f1515-e16a-4933-b8a3-79ce5acf1a40", + "modified": "2023-10-27T20:54:33.71087Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.71087Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_failure record field contains value 2", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--45564e66-b060-4afe-8f2f-045cf937e8de", + "modified": "2023-10-27T20:54:33.71087Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.711868Z", + "id": "relationship--da86629c-0e99-41f0-bcc8-4d2356580fb1", + "modified": "2023-10-27T20:54:33.711868Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.711868Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "any other CONFIG_CHANGE cases not specified above", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--254c3b4c-6e20-467a-92f3-447d4512a0d1", + "modified": "2023-10-27T20:54:33.711868Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.712869Z", + "id": "relationship--fffc1ac3-2259-4559-af91-ffd27de1dec7", + "modified": "2023-10-27T20:54:33.712869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.712869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when a daemon configuration change is detected", + "event_id": "DAEMON_CONFIG", + "id": "x-mitre-sensor-mapping--f6d0d4b0-f1ca-43bd-aa28-82cacf78acd9", + "modified": "2023-10-27T20:54:33.712869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.71387Z", + "id": "relationship--12f6180a-9262-457a-a10e-d58720c820b9", + "modified": "2023-10-27T20:54:33.71387Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.71387Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when Commercial Internet Protocol Security Option user adds a new Domain of Interpretation (DOI) via NetLabel", + "event_id": "MAC_CIPSOV4_ADD", + "id": "x-mitre-sensor-mapping--e7eeaf66-6053-49cc-aa8d-cfb743dafef6", + "modified": "2023-10-27T20:54:33.71387Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.714868Z", + "id": "relationship--f7ce3c97-877d-48a4-ad88-dd3386aba1d7", + "modified": "2023-10-27T20:54:33.714868Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.714868Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.", + "event_id": "MAC_CIPSOV4_DEL", + "id": "x-mitre-sensor-mapping--841cce3b-2019-4844-8b90-01f1755c1fbd", + "modified": "2023-10-27T20:54:33.714868Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.715868Z", + "id": "relationship--584855e4-21c5-4c3c-a4d1-9689b8927dd1", + "modified": "2023-10-27T20:54:33.715868Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.715868Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when an SELinux Boolean value is changed", + "event_id": "MAC_CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--00c2e838-3c11-43ee-8b87-c10c933cd1ac", + "modified": "2023-10-27T20:54:33.715868Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.717153Z", + "id": "relationship--e7437d25-778c-4f38-baba-7f1431653daf", + "modified": "2023-10-27T20:54:33.717153Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.717153Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.", + "event_id": "MAC_MAP_ADD", + "id": "x-mitre-sensor-mapping--5c3984c1-d866-42fe-9413-6b33bee97e6c", + "modified": "2023-10-27T20:54:33.717153Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.717869Z", + "id": "relationship--149ddd7e-6ccd-4c63-a9c5-b90a7bf62bf8", + "modified": "2023-10-27T20:54:33.717869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.717869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when existing LSM domain mapping is deleted", + "event_id": "MAC_MAP_DEL", + "id": "x-mitre-sensor-mapping--d172c8fe-bf32-4836-a66e-fa448f042e5b", + "modified": "2023-10-27T20:54:33.717869Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.718869Z", + "id": "relationship--b5283efd-7887-4ed6-bc07-1a50ec72ea43", + "modified": "2023-10-27T20:54:33.718869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.718869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when the SELinux mode is changed (enforcing, permissive, etc)", + "event_id": "MAC_STATUS", + "id": "x-mitre-sensor-mapping--2452e999-3ad7-47ca-a497-67f2d84713b1", + "modified": "2023-10-27T20:54:33.718869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.719869Z", + "id": "relationship--6edd1178-9efe-497d-a6e7-25efa0f30f09", + "modified": "2023-10-27T20:54:33.719869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.719869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when an administrator user assigns user to SELinux role", + "event_id": "ROLE_ASSIGN", + "id": "x-mitre-sensor-mapping--9b34b35f-db0f-4edb-9744-23669451f998", + "modified": "2023-10-27T20:54:33.719869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.720869Z", + "id": "relationship--dd47f8b3-1b2b-4f06-8afa-d22247f4cadb", + "modified": "2023-10-27T20:54:33.720869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.720869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when an administrator removes a user from an SELinux role", + "event_id": "ROLE_REMOVE", + "id": "x-mitre-sensor-mapping--7a407e7d-ed0e-43b5-9ade-57d1151b29e9", + "modified": "2023-10-27T20:54:33.720869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.72187Z", + "id": "relationship--c901e9d3-a4db-47a7-a156-ccae32cf5158", + "modified": "2023-10-27T20:54:33.72187Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.72287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "modified": "2023-10-27T20:54:33.72287Z", + "name": "User Account Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.723933Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Triggered when a user refreshes their user-space credentials", + "event_id": "CRED_REFR", + "id": "x-mitre-sensor-mapping--1d85bb3e-2f0f-4dc2-a6f3-9b44496780d7", + "modified": "2023-10-27T20:54:33.723933Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.723933Z", + "id": "relationship--1714a2bc-56ee-49e2-9590-3722ee5fbc7b", + "modified": "2023-10-27T20:54:33.723933Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.724924Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "op record field contains value moving home directory", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--077922ca-a790-43eb-b14f-00884e22cfbf", + "modified": "2023-10-27T20:54:33.724924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.724924Z", + "id": "relationship--b0f349ed-2e5a-4f1e-8e52-9bca4cf88de3", + "modified": "2023-10-27T20:54:33.724924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.726013Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "op record field contains value user lookup", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--d78df75f-1137-41f7-aff8-a586a29d52f5", + "modified": "2023-10-27T20:54:33.726013Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.726013Z", + "id": "relationship--bf5f6b8f-5daa-4f66-a67c-d4532875d5f6", + "modified": "2023-10-27T20:54:33.726013Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.726922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "modified": "2023-10-27T20:54:33.726922Z", + "name": "User Account Authentication", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.726922Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when the limit of failed login attempts is reached", + "event_id": "ANOM_LOGIN_FAILURES", + "id": "x-mitre-sensor-mapping--d6f381a3-fcb5-4bc9-ab49-d17d0fc2bf5f", + "modified": "2023-10-27T20:54:33.726922Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.727922Z", + "id": "relationship--fe185402-81af-499f-ab84-be6b6260a31f", + "modified": "2023-10-27T20:54:33.727922Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.727922Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a login atempt is made from forbidden location", + "event_id": "ANOM_LOGIN_LOCATION", + "id": "x-mitre-sensor-mapping--5130362d-ab38-4b88-987b-39cb0168ce2d", + "modified": "2023-10-27T20:54:33.727922Z", + "relationship": "Closed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.728922Z", + "id": "relationship--b31bb91c-284b-43a0-898d-adada3dd6d15", + "modified": "2023-10-27T20:54:33.728922Z", + "relationship_type": "Closed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.728922Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a login attempt reaches max amount of sessions", + "event_id": "ANOM_LOGIN_SESSIONS", + "id": "x-mitre-sensor-mapping--2a34ded5-6628-40a0-b8a5-0fd8fa14e7ab", + "modified": "2023-10-27T20:54:33.728922Z", + "relationship": "Closed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.729931Z", + "id": "relationship--f03b9a2a-4e3f-4ccc-a26d-82ace82752d4", + "modified": "2023-10-27T20:54:33.729931Z", + "relationship_type": "Closed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.729931Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a login attempt is made at a time when prevented", + "event_id": "ANOM_LOGIN_TIME", + "id": "x-mitre-sensor-mapping--d31a9924-412e-4b05-9a71-ab4b4b9e46ca", + "modified": "2023-10-27T20:54:33.729931Z", + "relationship": "Closed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.730925Z", + "id": "relationship--5cc6cccd-1bdb-418b-bec0-12da97ba10b8", + "modified": "2023-10-27T20:54:33.730925Z", + "relationship_type": "Closed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.732923Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a user account is locked", + "event_id": "RESP_ACCT_LOCK", + "id": "x-mitre-sensor-mapping--d4e19f25-84a3-4202-a212-2d03f1d86cdc", + "modified": "2023-10-27T20:54:33.732923Z", + "relationship": "Locked", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.734923Z", + "id": "relationship--e6d079a7-fcd2-42ba-9a5e-7894aa5fa48d", + "modified": "2023-10-27T20:54:33.734923Z", + "relationship_type": "Locked", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.735923Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when user account is unlocked after configured time", + "event_id": "RESP_ACCT_UNLOCK_TIMED", + "id": "x-mitre-sensor-mapping--49fa051c-f24f-474a-9558-47281b508ef7", + "modified": "2023-10-27T20:54:33.735923Z", + "relationship": "Unlocked", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.735923Z", + "id": "relationship--b3ff70e1-fd87-475f-810c-b45853218bfa", + "modified": "2023-10-27T20:54:33.735923Z", + "relationship_type": "Unlocked", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.736922Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a user-space user authorization attempt is detected", + "event_id": "USER_ACCT", + "id": "x-mitre-sensor-mapping--e6e7f723-0500-4fe2-9031-ed3d96407cda", + "modified": "2023-10-27T20:54:33.736922Z", + "relationship": "Authorized", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.737922Z", + "id": "relationship--dc97087c-3b76-48e4-9b03-d9a49e81ecc0", + "modified": "2023-10-27T20:54:33.737922Z", + "relationship_type": "Authorized", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.738924Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a user-space user authentication attempt is detected", + "event_id": "USER_AUTH", + "id": "x-mitre-sensor-mapping--10bf2854-1c41-4cee-9681-333a75444b65", + "modified": "2023-10-27T20:54:33.738924Z", + "relationship": "Authenticates", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.739931Z", + "id": "relationship--be760eda-543a-48c7-a309-07400af4d552", + "modified": "2023-10-27T20:54:33.739931Z", + "relationship_type": "Authenticates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.739931Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "modified": "2023-10-27T20:54:33.739931Z", + "name": "User Account Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.740927Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "Triggered when a user-space user account is created", + "event_id": "ADD_USER", + "id": "x-mitre-sensor-mapping--42b6fbc9-b608-47c5-92de-85965906047f", + "modified": "2023-10-27T20:54:33.740927Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.740927Z", + "id": "relationship--b54c92e4-7020-490d-a1d9-10fd27f89cd0", + "modified": "2023-10-27T20:54:33.740927Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.741926Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "Triggered when a user-space account addition ends abnormally", + "event_id": "ANOM_ADD_ACCOUNT", + "id": "x-mitre-sensor-mapping--80f46219-20d7-416c-bcbe-46d665389520", + "modified": "2023-10-27T20:54:33.741926Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.741926Z", + "id": "relationship--d2cd321f-c961-4c4e-b56c-0cf6183f8e9d", + "modified": "2023-10-27T20:54:33.741926Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.742926Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "op record field contains add SELinux user record", + "event_id": "USER_ROLE_CHANGE", + "id": "x-mitre-sensor-mapping--2b2f13cc-d37d-4754-ab66-cce362360579", + "modified": "2023-10-27T20:54:33.742926Z", + "relationship": "Created", + "revoked": false, + "source": "Process/Suer", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.742926Z", + "id": "relationship--99fa83ec-3178-4115-8ca6-6fee4fbda16d", + "modified": "2023-10-27T20:54:33.742926Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.743925Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "modified": "2023-10-27T20:54:33.743925Z", + "name": "User Account Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.743925Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "Triggered when a user-space account deletion ends abnormally", + "event_id": "ANOM_DEL_ACCOUNT", + "id": "x-mitre-sensor-mapping--0521e52d-0796-4cbf-a299-50d5e99e2df2", + "modified": "2023-10-27T20:54:33.743925Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.744926Z", + "id": "relationship--6c5a7403-b848-4ec7-ab57-96558fce0169", + "modified": "2023-10-27T20:54:33.744926Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.744926Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "Triggered when a user-space user is deleted", + "event_id": "DEL_USER", + "id": "x-mitre-sensor-mapping--93b81312-850b-4ef3-9ed7-4cac1c86a65b", + "modified": "2023-10-27T20:54:33.744926Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.74607Z", + "id": "relationship--f00198cb-d46e-4803-9d2c-f9bc49309fe7", + "modified": "2023-10-27T20:54:33.74607Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.746927Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting user entries", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--74339526-d782-4ec7-a327-8781c2954c0b", + "modified": "2023-10-27T20:54:33.746927Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.747926Z", + "id": "relationship--7bf4c14c-d7d8-4365-9d7b-ac90ad9f1cd8", + "modified": "2023-10-27T20:54:33.747926Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.748927Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting user not found", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--51b759c2-d9d1-4c02-965a-63b8cef8daa7", + "modified": "2023-10-27T20:54:33.748927Z", + "relationship": "Errored", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.749926Z", + "id": "relationship--57705527-3e11-43ec-b5d3-719ccd81ff32", + "modified": "2023-10-27T20:54:33.749926Z", + "relationship_type": "Errored", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.750925Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting user", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f258b7dc-86e2-44b2-9deb-2c2f56ea3a60", + "modified": "2023-10-27T20:54:33.750925Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.751925Z", + "id": "relationship--fa6a0a5c-4e61-48ed-b2f6-115a7ed9eedd", + "modified": "2023-10-27T20:54:33.751925Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.752926Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting user logged in", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f8e4f97f-7af8-4936-8664-ef186070884e", + "modified": "2023-10-27T20:54:33.752926Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.75393Z", + "id": "relationship--b6907910-a862-4d7a-b0cc-43e5f9e52f31", + "modified": "2023-10-27T20:54:33.75393Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.755924Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting home directory", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--9875e772-7ff4-49a8-8069-a81b50f30851", + "modified": "2023-10-27T20:54:33.755924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.756334Z", + "id": "relationship--d18c7f69-47d3-4480-b406-f53f1b6bea5a", + "modified": "2023-10-27T20:54:33.756334Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.756926Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains delete SELinux user record", + "event_id": "USER_ROLE_CHANGE", + "id": "x-mitre-sensor-mapping--17aa1808-6d6d-4216-95a4-76143460e4b8", + "modified": "2023-10-27T20:54:33.756926Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.757924Z", + "id": "relationship--af2e560d-5450-4522-8994-2a0d9fb9c2b3", + "modified": "2023-10-27T20:54:33.757924Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.757924Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "modified": "2023-10-27T20:54:33.757924Z", + "name": "User Account Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.758937Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Triggered when a user acquires user-space credentials", + "event_id": "CRED_ACQ", + "id": "x-mitre-sensor-mapping--e071bbd3-336c-4477-8063-8a163aedbdb4", + "modified": "2023-10-27T20:54:33.758937Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.758937Z", + "id": "relationship--1d05c7e8-76e2-49bf-aeb9-370756ef1c7d", + "modified": "2023-10-27T20:54:33.758937Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.759935Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Triggered when a user disposes of user-space credentials", + "event_id": "CRED_DISP", + "id": "x-mitre-sensor-mapping--07e77dc0-984f-4cae-81a0-fb239a35a14f", + "modified": "2023-10-27T20:54:33.759935Z", + "relationship": "Deleted", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.759935Z", + "id": "relationship--d928ad8d-4f99-4981-aaaf-4789f7b7da70", + "modified": "2023-10-27T20:54:33.759935Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.760935Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "op record field contains value unlock password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--bc5ae21c-ba54-4620-84ff-138b537adff9", + "modified": "2023-10-27T20:54:33.760935Z", + "relationship": "Unlocked", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.760935Z", + "id": "relationship--86907105-f0ac-4911-9828-308f7278419a", + "modified": "2023-10-27T20:54:33.760935Z", + "relationship_type": "Unlocked", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.761935Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Triggered when a user account state error is detected", + "event_id": "USER_ERR", + "id": "x-mitre-sensor-mapping--9f86adf9-75fe-4df0-a756-36fbef54cba7", + "modified": "2023-10-27T20:54:33.761935Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.761935Z", + "id": "relationship--66ea1bda-1681-4d5e-8737-4c0b2a4960ea", + "modified": "2023-10-27T20:54:33.761935Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.762922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "modified": "2023-10-27T20:54:33.762922Z", + "name": "User Account Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.762922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--b9e37822-25fc-492a-be88-1a7bd08176eb", + "modified": "2023-10-27T20:54:33.762922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.763935Z", + "id": "relationship--b26d03b6-1eff-4d29-ae05-4e01f20fa5e6", + "modified": "2023-10-27T20:54:33.763935Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.764924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--7b8e0ca7-7288-4a9c-9319-25fe0d147e0a", + "modified": "2023-10-27T20:54:33.764924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.764924Z", + "id": "relationship--ae27ca5c-51f7-479e-876e-191c3df05a1c", + "modified": "2023-10-27T20:54:33.764924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.765938Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change expired password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--928f2f8c-0d58-43a8-b013-7369ad52908d", + "modified": "2023-10-27T20:54:33.765938Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.765938Z", + "id": "relationship--424b8e67-2a58-4f68-a06e-35f908c25979", + "modified": "2023-10-27T20:54:33.765938Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.766926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change age", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--61022c5f-b3d0-4055-b856-414aa7e4e867", + "modified": "2023-10-27T20:54:33.766926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.767924Z", + "id": "relationship--674ffc53-0425-42b6-a13e-251578b62dd9", + "modified": "2023-10-27T20:54:33.767924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.768924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change max age", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--98bdad7c-72a5-4472-b8ed-f2d4dc74dab2", + "modified": "2023-10-27T20:54:33.768924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.768924Z", + "id": "relationship--9b3a8d66-8a67-4150-a27c-1e41508666c0", + "modified": "2023-10-27T20:54:33.768924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.770928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change min age", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--3dc59ca3-796c-4568-a1c7-2f1cb3ab0788", + "modified": "2023-10-27T20:54:33.770928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.770928Z", + "id": "relationship--e6e61e36-9f80-4842-8cee-e4d2d87695e5", + "modified": "2023-10-27T20:54:33.770928Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.771929Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change passwd warning", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f500e4d5-2e70-43b1-998a-a213d4fd776b", + "modified": "2023-10-27T20:54:33.771929Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.772923Z", + "id": "relationship--b4481ad2-b497-4929-85a4-016f2a28647d", + "modified": "2023-10-27T20:54:33.772923Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.773922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change inactive days", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--6a4239a5-d510-493c-b5cf-96c89a37092f", + "modified": "2023-10-27T20:54:33.773922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.773922Z", + "id": "relationship--19a26b62-2a9f-4be2-b637-c82eaf303dde", + "modified": "2023-10-27T20:54:33.773922Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.774923Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change passwd expiration", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--0ae7eb31-24ed-4011-b9b2-30d054149543", + "modified": "2023-10-27T20:54:33.774923Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.775927Z", + "id": "relationship--042b7de0-f979-4487-ae57-68412419f320", + "modified": "2023-10-27T20:54:33.775927Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.777082Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change last change date", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--a5162530-6e72-498f-9cbe-29620d0c83ee", + "modified": "2023-10-27T20:54:33.777082Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.777925Z", + "id": "relationship--6edb5c3f-3eac-4b9d-a550-c8c8b4495f8e", + "modified": "2023-10-27T20:54:33.777925Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.777925Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change all aging information", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--20e09e61-aae0-46c3-9ff5-7b5f01be54df", + "modified": "2023-10-27T20:54:33.777925Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.778924Z", + "id": "relationship--21595ad7-ce7f-4375-b20d-b2d9eded8103", + "modified": "2023-10-27T20:54:33.778924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.778924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value password attribute change", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--a39b4fd8-6b26-4352-b1aa-c1d25b5d3d92", + "modified": "2023-10-27T20:54:33.778924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.779925Z", + "id": "relationship--d13dc348-7a26-454c-95f3-cdb5cfc6c693", + "modified": "2023-10-27T20:54:33.779925Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.779925Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value password aging data updated", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--c10b9619-1e9c-469d-bdc7-e0bddb3644b1", + "modified": "2023-10-27T20:54:33.779925Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.780924Z", + "id": "relationship--c78017f3-a758-4a28-a6a0-e92bba42dcdc", + "modified": "2023-10-27T20:54:33.780924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.780924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value display aging info", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f52953e8-81fb-48db-a8a8-f69a202df41b", + "modified": "2023-10-27T20:54:33.780924Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.781924Z", + "id": "relationship--1251316f-5516-44bd-b39b-5830ffc2671b", + "modified": "2023-10-27T20:54:33.781924Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.782924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value password status display", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--14a923dc-0409-4cc2-8cab-6381e22c7d2d", + "modified": "2023-10-27T20:54:33.782924Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.782924Z", + "id": "relationship--3179238e-e287-480f-8134-bbe92d425164", + "modified": "2023-10-27T20:54:33.782924Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.783924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value password status displayed for user", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--3754cc2f-f5e8-484e-b751-4f459d85b98d", + "modified": "2023-10-27T20:54:33.783924Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.783924Z", + "id": "relationship--3917e770-cb47-4e95-84f0-f183f3760e93", + "modified": "2023-10-27T20:54:33.783924Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.784924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding to group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--2194287a-a15f-48fa-901f-2536132ea5ec", + "modified": "2023-10-27T20:54:33.784924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.784924Z", + "id": "relationship--982db016-a9b1-4b9a-a1fe-93773691f06e", + "modified": "2023-10-27T20:54:33.784924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.785922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding group member", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f0278e2d-10eb-48db-8215-2d526fbaa489", + "modified": "2023-10-27T20:54:33.785922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.786923Z", + "id": "relationship--cbe56343-be3c-438c-9bfe-fc2d7c4315bd", + "modified": "2023-10-27T20:54:33.786923Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.786923Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding user to group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--68241c2a-a789-41c5-8f9e-61abc8f7e078", + "modified": "2023-10-27T20:54:33.786923Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.787922Z", + "id": "relationship--0c7bd990-7a44-491f-82f6-6fcb8f7856da", + "modified": "2023-10-27T20:54:33.787922Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.787922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding user to shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--bd8be1f4-e87c-445d-bb13-4454ab607a52", + "modified": "2023-10-27T20:54:33.787922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.789931Z", + "id": "relationship--f8a8f7c5-512e-4d24-a474-5b40af7cff55", + "modified": "2023-10-27T20:54:33.789931Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.790929Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing primary group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--1840a076-c449-40b6-accd-0c8b67111575", + "modified": "2023-10-27T20:54:33.790929Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.790929Z", + "id": "relationship--f6cb9784-6d61-40b6-a9b4-b55d60f4e36b", + "modified": "2023-10-27T20:54:33.790929Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.792928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing group member", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--5ce7a16f-b4bb-4901-b1cb-a90db0a7d91b", + "modified": "2023-10-27T20:54:33.792928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.792928Z", + "id": "relationship--02b8c4e4-9763-4e14-bcae-70e927968d1c", + "modified": "2023-10-27T20:54:33.792928Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.793927Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing admin name in shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--d1b0a83a-1aee-4290-87eb-ebba0e4208af", + "modified": "2023-10-27T20:54:33.793927Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.794923Z", + "id": "relationship--4f6a6924-d2dd-46cd-b7fb-d6dba3969fd0", + "modified": "2023-10-27T20:54:33.794923Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.795921Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing member in shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f0247ebf-796b-4f54-ace3-734d0ab3737c", + "modified": "2023-10-27T20:54:33.795921Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.795921Z", + "id": "relationship--2a3096c6-5946-4b46-9190-0c13bf914b73", + "modified": "2023-10-27T20:54:33.795921Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.796921Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting group password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--abb453f1-4428-4721-96d6-8f1f3b852af7", + "modified": "2023-10-27T20:54:33.796921Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.796921Z", + "id": "relationship--d1b4cd1a-cf31-4aae-9d5c-713055296766", + "modified": "2023-10-27T20:54:33.796921Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.797921Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting member", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--02c400a7-3566-43f2-8949-7ed5783da97a", + "modified": "2023-10-27T20:54:33.797921Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.797921Z", + "id": "relationship--3eb50b8f-efbf-458a-a9d6-13ae95214b95", + "modified": "2023-10-27T20:54:33.797921Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.798926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting user from group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--9884897c-7d9b-4359-a4fd-0006cf22d80b", + "modified": "2023-10-27T20:54:33.798926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.799921Z", + "id": "relationship--825d579c-2f87-41f8-bcbe-3389a31f18ce", + "modified": "2023-10-27T20:54:33.799921Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.799921Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting user from shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--c262705d-82f2-4713-ae98-50576bda7cce", + "modified": "2023-10-27T20:54:33.799921Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.800921Z", + "id": "relationship--0a6b3a0a-c836-4b26-97cd-e3795a41a023", + "modified": "2023-10-27T20:54:33.800921Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.801924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value removing group member", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--cd8d0f1e-5a3d-4dcb-b7bf-6452252ebd43", + "modified": "2023-10-27T20:54:33.801924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.801924Z", + "id": "relationship--48a7a538-a505-4d97-ada1-f201f18f2160", + "modified": "2023-10-27T20:54:33.801924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.802926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value removing user from shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--4012b66e-0bcc-47e9-855b-c97410335463", + "modified": "2023-10-27T20:54:33.802926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.803923Z", + "id": "relationship--6f4a36b2-2795-4d49-a9c8-f98ca71de707", + "modified": "2023-10-27T20:54:33.803923Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.804922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--b8b2739d-8031-4de9-bdf8-8b532eb81bd2", + "modified": "2023-10-27T20:54:33.804922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.805925Z", + "id": "relationship--8bd7c84d-bed1-439d-b1ce-a88bb503fd26", + "modified": "2023-10-27T20:54:33.805925Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.806927Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--33a7711f-67b1-42a3-95f9-edc23127ffd9", + "modified": "2023-10-27T20:54:33.806927Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.807929Z", + "id": "relationship--9b46ba26-0f43-453e-9688-ecb60bad0cb3", + "modified": "2023-10-27T20:54:33.807929Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.808928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding user", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--4b2dd49d-8a8d-4ce1-86ec-8e9361d599b3", + "modified": "2023-10-27T20:54:33.808928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.809926Z", + "id": "relationship--0322695f-3903-4e47-b004-51c752fb5699", + "modified": "2023-10-27T20:54:33.809926Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.810924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding home directory", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--7e30de90-f421-40e1-b4b9-a7306a0bc6e8", + "modified": "2023-10-27T20:54:33.810924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.810924Z", + "id": "relationship--8d5adc95-740d-48f5-af22-9159617d3ac3", + "modified": "2023-10-27T20:54:33.810924Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.811926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value lock password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--a073b468-4e38-4010-9f55-0bb916365787", + "modified": "2023-10-27T20:54:33.811926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.812926Z", + "id": "relationship--5ff56e14-e4ad-4753-81c6-4ad1cb20d411", + "modified": "2023-10-27T20:54:33.812926Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.813928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value delete password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--6695c5ad-7d36-4955-9bce-087942525ecb", + "modified": "2023-10-27T20:54:33.813928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.814926Z", + "id": "relationship--f4d1a3cc-f71f-493f-913b-82f7a8540a4f", + "modified": "2023-10-27T20:54:33.814926Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.816193Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value updating password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--61f4bf9d-9f6c-4e64-9f94-ee5aa1c6c5c8", + "modified": "2023-10-27T20:54:33.816193Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.816926Z", + "id": "relationship--cd763fda-9468-4423-9395-23e7b0b84f42", + "modified": "2023-10-27T20:54:33.816926Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.817926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing name", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--7d939f13-c215-4542-89f3-a0f9eca8d4cd", + "modified": "2023-10-27T20:54:33.817926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.818926Z", + "id": "relationship--0660ec9b-362b-443d-98af-0ac81496f770", + "modified": "2023-10-27T20:54:33.818926Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.819927Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing uid", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--e9cda13b-7d0a-451d-929c-849a817ce1de", + "modified": "2023-10-27T20:54:33.819927Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.819927Z", + "id": "relationship--3ba0a23b-754b-4647-bd7e-1980bc22c60c", + "modified": "2023-10-27T20:54:33.819927Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.820928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing home directory", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--fe7062f1-73a5-4270-bacf-41e7ae4ac7f2", + "modified": "2023-10-27T20:54:33.820928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.822927Z", + "id": "relationship--778ceb7a-d0dc-4e3d-83d6-1ab7dcee25c5", + "modified": "2023-10-27T20:54:33.822927Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.824003Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing mail file name", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--ed094905-68f4-4c46-be41-46949c5da85b", + "modified": "2023-10-27T20:54:33.824003Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.824003Z", + "id": "relationship--cf1672b4-fd5e-4c12-bfb6-ecbb86e48d32", + "modified": "2023-10-27T20:54:33.824003Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.825003Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing mail file owner", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--d38288dc-6bef-46a9-9921-19cc5fd19f47", + "modified": "2023-10-27T20:54:33.825003Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.826078Z", + "id": "relationship--9063bb24-ab74-459d-89d8-2f877259a23a", + "modified": "2023-10-27T20:54:33.826078Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.826078Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Triggered when a user account password or PIN is modified", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--2bfd5de8-b50b-4391-8b67-c554fd8652d7", + "modified": "2023-10-27T20:54:33.826078Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.826998Z", + "id": "relationship--5068167b-6e59-463d-aa23-5b773c827767", + "modified": "2023-10-27T20:54:33.826998Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.827998Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "any other USER_ROLE_CHANGE cases not specified above", + "event_id": "USER_ROLE_CHANGE", + "id": "x-mitre-sensor-mapping--35a89c44-5591-410a-96eb-ee59b3c9d013", + "modified": "2023-10-27T20:54:33.827998Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.827998Z", + "id": "relationship--30ef5b9d-97dc-4c27-9ae8-9202ddb05e87", + "modified": "2023-10-27T20:54:33.827998Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/mappings/stix/enterprise/CloudTrail-mappings-enterprise.json b/mappings/stix/enterprise/CloudTrail-mappings-enterprise.json new file mode 100644 index 0000000..fbbe266 --- /dev/null +++ b/mappings/stix/enterprise/CloudTrail-mappings-enterprise.json @@ -0,0 +1,5459 @@ +{ + "id": "bundle--5fb87463-0212-4b69-b437-c323ea1a4bc5", + "objects": [ + { + "created": "2023-10-27T20:54:33.860987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "modified": "2023-10-27T20:54:33.860987Z", + "name": "Active Directory Object Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.864987Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM.", + "event_id": "GetOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--62c1d975-6ccb-43e0-87fe-12e0eb9d12e4", + "modified": "2023-10-27T20:54:33.864987Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Connect Provider", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.864987Z", + "id": "relationship--20e2290f-ea1e-47e7-9396-d17d30cc26d2", + "modified": "2023-10-27T20:54:33.864987Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.865986Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e9adf20c-691f-488b-8c41-8c460a33c80e", + "modified": "2023-10-27T20:54:33.865986Z", + "name": "Active Directory Object Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.866986Z", + "data_component": "Active Directory Object Creation", + "data_source": "Active Directory", + "description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).\n\nThe OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.", + "event_id": "CreateOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--3a30c732-cd91-446d-b7c5-a2b86d5ec882", + "modified": "2023-10-27T20:54:33.866986Z", + "relationship": "Create", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Iam Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.867987Z", + "id": "relationship--94613969-123e-430a-9ea9-68382bfdbae0", + "modified": "2023-10-27T20:54:33.867987Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e9adf20c-691f-488b-8c41-8c460a33c80e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.867987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2a0b2a05-c2e4-4fd4-968f-1d4dc130aa20", + "modified": "2023-10-27T20:54:33.867987Z", + "name": "Active Directory Object Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.868986Z", + "data_component": "Active Directory Object Deletion", + "data_source": "Active Directory", + "description": "Deletes an OpenID Connect identity provider (IdP) resource object in IAM.\n\nDeleting an IAM OIDC provider resource does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a deleted provider fails.", + "event_id": "DeleteOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--6b12c0ec-78a1-469e-95a4-eb136e15bbad", + "modified": "2023-10-27T20:54:33.868986Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Oidc Identity Provider", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.869986Z", + "id": "relationship--eb0d2f82-80b9-466b-81d7-5bd4588ced2f", + "modified": "2023-10-27T20:54:33.869986Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2a0b2a05-c2e4-4fd4-968f-1d4dc130aa20", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.869986Z", + "data_component": "Active Directory Object Deletion", + "data_source": "Active Directory", + "description": "Deletes a SAML provider resource in IAM.\n\nDeleting the provider resource from IAM does not update any roles that reference the SAML provider resource's ARN as a principal in their trust policies. Any attempt to assume a role that references a non-existent provider resource ARN fails.", + "event_id": "DeleteSAMLProvider", + "id": "x-mitre-sensor-mapping--684c5a2c-12ba-4bbb-8bf9-caaa7cd2881d", + "modified": "2023-10-27T20:54:33.869986Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.870985Z", + "id": "relationship--11249727-73db-415a-8178-be8933cb3fd5", + "modified": "2023-10-27T20:54:33.870985Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2a0b2a05-c2e4-4fd4-968f-1d4dc130aa20", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.871985Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ac7a968c-ff19-425c-b2f4-919f0498b487", + "modified": "2023-10-27T20:54:33.871985Z", + "name": "Active Directory Object Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.873993Z", + "data_component": "Active Directory Object Enumeration", + "data_source": "Active Directory", + "description": "Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.", + "event_id": "ListOpenIDConnectProviders", + "id": "x-mitre-sensor-mapping--1c90607e-f262-411a-88e8-cd982db42993", + "modified": "2023-10-27T20:54:33.873993Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Openidconnectproviders (Oicp)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.873993Z", + "id": "relationship--1422107c-fd1a-4bbd-9579-e257ce999f53", + "modified": "2023-10-27T20:54:33.873993Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ac7a968c-ff19-425c-b2f4-919f0498b487", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.875988Z", + "data_component": "Active Directory Object Enumeration", + "data_source": "Active Directory", + "description": "Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible identity provider. The returned list of tags is sorted by tag key.", + "event_id": "ListOpenIDConnectProviderTags", + "id": "x-mitre-sensor-mapping--cc52c614-c9a9-40cb-8570-89f1906771bd", + "modified": "2023-10-27T20:54:33.875988Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.876988Z", + "id": "relationship--b349c1bf-407c-4678-9531-ab31026820a2", + "modified": "2023-10-27T20:54:33.876988Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ac7a968c-ff19-425c-b2f4-919f0498b487", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.878988Z", + "data_component": "Active Directory Object Enumeration", + "data_source": "Active Directory", + "description": "Lists the SAML provider resource objects defined in IAM in the account.", + "event_id": "ListSAMLProviders", + "id": "x-mitre-sensor-mapping--244f3a73-dd29-4c7d-b4cb-060ae684b530", + "modified": "2023-10-27T20:54:33.878988Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.879988Z", + "id": "relationship--b6dfd454-029d-4764-89da-5252cf87546d", + "modified": "2023-10-27T20:54:33.879988Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ac7a968c-ff19-425c-b2f4-919f0498b487", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.879988Z", + "data_component": "Active Directory Object Enumeration", + "data_source": "Active Directory", + "description": "Lists the tags that are attached to the specified Security Assertion Markup Language (SAML) identity provider. The returned list of tags is sorted by tag key.", + "event_id": "ListSAMLProviderTags", + "id": "x-mitre-sensor-mapping--21eaabf2-a903-4d6a-8072-3f5bb80fa78e", + "modified": "2023-10-27T20:54:33.879988Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.880991Z", + "id": "relationship--2c9badfc-4026-40e9-bc17-b0be0d6f5cc4", + "modified": "2023-10-27T20:54:33.880991Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ac7a968c-ff19-425c-b2f4-919f0498b487", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.881987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0238a154-faee-449c-b81c-8e99c6222642", + "modified": "2023-10-27T20:54:33.881987Z", + "name": "Active Directory Object Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.882988Z", + "data_component": "Active Directory Object Metadata", + "data_source": "Active Directory", + "description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.\n\nThe SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.\n\nWhen you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP.", + "event_id": "CreateSAMLProvider", + "id": "x-mitre-sensor-mapping--802c9e7c-c0fc-456e-bf8c-266f8b3171ec", + "modified": "2023-10-27T20:54:33.882988Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Saml Provider", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.882988Z", + "id": "relationship--368b98fc-e61f-46a0-b212-08d328788d60", + "modified": "2023-10-27T20:54:33.882988Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0238a154-faee-449c-b81c-8e99c6222642", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.883987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "modified": "2023-10-27T20:54:33.883987Z", + "name": "Active Directory Object Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.884987Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource.", + "event_id": "AddClientIDToOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--11a38397-63ba-486a-b921-72b01192d62d", + "modified": "2023-10-27T20:54:33.884987Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.884987Z", + "id": "relationship--4737b660-bef5-4e13-9903-75a5bb925dd8", + "modified": "2023-10-27T20:54:33.884987Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.886192Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object.", + "event_id": "RemoveClientIDFromOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--cc8d1949-f9e0-45b0-a3a6-38c6e677ddce", + "modified": "2023-10-27T20:54:33.886192Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.886992Z", + "id": "relationship--1dcbda73-3d6e-4b53-8039-b09e0cc71b30", + "modified": "2023-10-27T20:54:33.886992Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.887988Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider.", + "event_id": "TagOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--7e5f7094-c336-4d39-960b-7a661d40701c", + "modified": "2023-10-27T20:54:33.887988Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.891989Z", + "id": "relationship--5bfbb916-63d8-4d90-b907-df2afa11bdb6", + "modified": "2023-10-27T20:54:33.891989Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.892988Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider.", + "event_id": "TagSAMLProvider", + "id": "x-mitre-sensor-mapping--296e7103-17f3-49dc-a1c3-6299eeeca837", + "modified": "2023-10-27T20:54:33.892988Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.893986Z", + "id": "relationship--b75df801-f910-4d25-8d45-c3a72b3abd2b", + "modified": "2023-10-27T20:54:33.893986Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.894991Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Removes the specified tags from the specified OpenID Connect (OIDC)-compatible identity provider in IAM.", + "event_id": "UntagOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--9a140771-ea47-4abc-b9ba-f97ca174b85e", + "modified": "2023-10-27T20:54:33.894991Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.895989Z", + "id": "relationship--3104fde2-14c8-4405-b819-00810eb1d626", + "modified": "2023-10-27T20:54:33.895989Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.895989Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Removes the specified tags from the specified Security Assertion Markup Language (SAML) identity provider in IAM.", + "event_id": "UntagSAMLProvider", + "id": "x-mitre-sensor-mapping--67be93ca-ee09-40d1-9c55-e56980678307", + "modified": "2023-10-27T20:54:33.895989Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.896988Z", + "id": "relationship--e4df9481-0563-4a69-a0f4-639af67a8ab4", + "modified": "2023-10-27T20:54:33.896988Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.897985Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints.", + "event_id": "UpdateOpenIDConnectProviderThumbprint", + "id": "x-mitre-sensor-mapping--950e585c-2611-4725-bd74-4d9095369333", + "modified": "2023-10-27T20:54:33.897985Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.897985Z", + "id": "relationship--ab05c280-d183-4f93-a98c-300e04ea42a8", + "modified": "2023-10-27T20:54:33.897985Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.898984Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Updates the metadata document for an existing SAML provider resource object.", + "event_id": "UpdateSAMLProvider", + "id": "x-mitre-sensor-mapping--d3ab958d-35f5-4e0a-9161-7a9937524931", + "modified": "2023-10-27T20:54:33.898984Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.898984Z", + "id": "relationship--7c8af2c0-838b-41c2-a427-c5b1c2628862", + "modified": "2023-10-27T20:54:33.898984Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.899989Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--4899428d-5728-4dfc-8fa9-ad44ef2728c4", + "modified": "2023-10-27T20:54:33.899989Z", + "name": "Certificate Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.901005Z", + "data_component": "Certificate Access", + "data_source": "Certificate", + "description": "Retrieves information about the specified server certificate stored in IAM.", + "event_id": "GetServerCertificate", + "id": "x-mitre-sensor-mapping--59532e92-5868-4963-ac02-be2c067b6ba1", + "modified": "2023-10-27T20:54:33.901005Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.901998Z", + "id": "relationship--a718512f-3b75-4855-a505-944fb4aa35f6", + "modified": "2023-10-27T20:54:33.901998Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--4899428d-5728-4dfc-8fa9-ad44ef2728c4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.901998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2fda5c2d-3355-4ee3-b4e5-bd46c225ba36", + "modified": "2023-10-27T20:54:33.901998Z", + "name": "Certificate Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.902991Z", + "data_component": "Certificate Deletion", + "data_source": "Certificate", + "description": "A server certificate has been deleted.", + "event_id": "DeleteServerCertificate", + "id": "x-mitre-sensor-mapping--87ec82bb-0832-40ed-ad55-2e6827fc6fe6", + "modified": "2023-10-27T20:54:33.902991Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.902991Z", + "id": "relationship--43dd2e64-f621-416d-8543-25efdf27cd69", + "modified": "2023-10-27T20:54:33.902991Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2fda5c2d-3355-4ee3-b4e5-bd46c225ba36", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.903988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--37025b73-555a-4193-8308-66f0ae19e346", + "modified": "2023-10-27T20:54:33.903988Z", + "name": "Certificate Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.903988Z", + "data_component": "Certificate Enumeration", + "data_source": "Certificate", + "description": "Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the operation returns an empty list.", + "event_id": "ListServerCertificates", + "id": "x-mitre-sensor-mapping--52c2aed6-3189-4b4d-a140-fe6196bec41c", + "modified": "2023-10-27T20:54:33.903988Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.903988Z", + "id": "relationship--90edf34b-c3e7-4645-a19a-234a687cd5dc", + "modified": "2023-10-27T20:54:33.903988Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--37025b73-555a-4193-8308-66f0ae19e346", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.904988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2ffc76e9-adc4-4be7-a8b3-42a384a7f045", + "modified": "2023-10-27T20:54:33.904988Z", + "name": "Certificate Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.905993Z", + "data_component": "Certificate Modification", + "data_source": "Certificate", + "description": "Adds one or more tags to an IAM server certificate. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagServerCertificate", + "id": "x-mitre-sensor-mapping--aad1aa8e-4536-4258-8184-b2d3af856f4c", + "modified": "2023-10-27T20:54:33.905993Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.907088Z", + "id": "relationship--2f4bc47f-410b-4441-8cf9-3816273f397f", + "modified": "2023-10-27T20:54:33.907088Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2ffc76e9-adc4-4be7-a8b3-42a384a7f045", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.907991Z", + "data_component": "Certificate Modification", + "data_source": "Certificate", + "description": "Removes the specified tags from the IAM server certificate.", + "event_id": "UntagServerCertificate", + "id": "x-mitre-sensor-mapping--4b91ba16-7b4a-4cab-a27a-94de021da326", + "modified": "2023-10-27T20:54:33.907991Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.907991Z", + "id": "relationship--67aeee9c-c64a-4828-872b-9f879ef42a60", + "modified": "2023-10-27T20:54:33.907991Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2ffc76e9-adc4-4be7-a8b3-42a384a7f045", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.90899Z", + "data_component": "Certificate Modification", + "data_source": "Certificate", + "description": "Updates the name and/or the path of the specified server certificate stored in IAM.", + "event_id": "UpdateServerCertificate", + "id": "x-mitre-sensor-mapping--9c1696b6-a921-45f1-b56b-e98f07865132", + "modified": "2023-10-27T20:54:33.90899Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.909993Z", + "id": "relationship--008e36fe-6c61-4c64-833b-5b14d559cb36", + "modified": "2023-10-27T20:54:33.909993Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2ffc76e9-adc4-4be7-a8b3-42a384a7f045", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.909993Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "modified": "2023-10-27T20:54:33.909993Z", + "name": "Cloud Service Account", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-source", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.911003Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--20829e89-bfc7-42b5-865a-8ab293f336f2", + "modified": "2023-10-27T20:54:33.911003Z", + "name": "Cloud Service Account Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.911003Z", + "data_component": "Cloud Service Account Access", + "data_source": "Cloud Service Account", + "description": "Retrieves the service last accessed data report for AWS Organizations that was previously generated using the GenerateOrganizationsAccessReport operation. This operation retrieves the status of your report job and the report contents.\n..\nTo call this operation, you must be signed in to the management account in your organization. SCPs must be enabled for your organization root. You must have permissions to perform this operation. \n\nFor each service that principals in an account (root user, IAM users, or IAM roles) could access using SCPs, the operation returns details about the most recent access attempt.", + "event_id": "GetOrganizationsAccessReport", + "id": "x-mitre-sensor-mapping--01fcd754-8c8f-4690-a9d3-19aa9adbf040", + "modified": "2023-10-27T20:54:33.911003Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Cloud Service Account Report", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.911985Z", + "id": "relationship--9c78ad5f-a24e-4be0-ab9b-f7c6febf7703", + "modified": "2023-10-27T20:54:33.911985Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--20829e89-bfc7-42b5-865a-8ab293f336f2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.911985Z", + "data_component": "Cloud Service Account Access", + "data_source": "Cloud Service Account", + "description": "Retrieves the status of your service-linked role deletion.", + "event_id": "GetServiceLinkedRoleDeletionStatus", + "id": "x-mitre-sensor-mapping--58fca9f2-5762-4a36-9fdf-192e70a75ca5", + "modified": "2023-10-27T20:54:33.911985Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.912986Z", + "id": "relationship--a6a8cdb3-42e7-45d8-b210-88a66df10cd4", + "modified": "2023-10-27T20:54:33.912986Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--20829e89-bfc7-42b5-865a-8ab293f336f2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.912986Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fa47a8fd-06bc-401f-afcd-3c2bfd2981e3", + "modified": "2023-10-27T20:54:33.912986Z", + "name": "Cloud Service Account Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.913998Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "Submits a service-linked role deletion request and returns a DeletionTaskId, which you can use to check the status of the deletion. Before you call this operation, confirm that the role has no active sessions and that any resources used by the role in the linked service are deleted.", + "event_id": "DeleteServiceLinkedRole", + "id": "x-mitre-sensor-mapping--20e76b4a-a1fe-4add-b202-4e13993f750b", + "modified": "2023-10-27T20:54:33.913998Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account Service Link", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.913998Z", + "id": "relationship--c303a0f6-a6b9-488e-bd49-bac283ea602c", + "modified": "2023-10-27T20:54:33.913998Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fa47a8fd-06bc-401f-afcd-3c2bfd2981e3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.914988Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "Generates a report for service last accessed data for AWS Organizations. You can generate a report for any entities (organization root, organizational unit, or account) or policies in your organization.\n\nTo call this operation, you must be signed in using your Organizations management account credentials. You can use your long-term IAM user or root user credentials, or temporary credentials from assuming an IAM role. SCPs must be enabled for your organization root. You must have the required IAM and Organizations permissions.", + "event_id": "GenerateOrganizationsAccessReport", + "id": "x-mitre-sensor-mapping--5a6e4a46-745b-42c9-9726-ea98a0873b11", + "modified": "2023-10-27T20:54:33.914988Z", + "relationship": "Enumerate", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Organization", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.914988Z", + "id": "relationship--1b8efa9e-fff0-4ca5-8d34-011a4827c3b1", + "modified": "2023-10-27T20:54:33.914988Z", + "relationship_type": "Enumerate", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fa47a8fd-06bc-401f-afcd-3c2bfd2981e3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.916058Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. \n\n The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.", + "event_id": "GetServiceLastAccessedDetails", + "id": "x-mitre-sensor-mapping--823af662-5701-4411-872b-7da41a74850e", + "modified": "2023-10-27T20:54:33.916058Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.916058Z", + "id": "relationship--bb2de1b8-4dd7-4ba7-9d01-97374f2cbc07", + "modified": "2023-10-27T20:54:33.916058Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fa47a8fd-06bc-401f-afcd-3c2bfd2981e3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.916986Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "After you generate a group or policy report using the GenerateServiceLastAccessedDetails operation, you can use the JobId parameter in GetServiceLastAccessedDetailsWithEntities. This operation retrieves the status of your report job and a list of entities that could have used group or policy permissions to access the specified service.\n\nGroup – For a group report, this operation returns a list of users in the group that could have used the group’s policies in an attempt to access the service.\n\nPolicy – For a policy report, this operation returns a list of entities (users or roles) that could have used the policy in an attempt to access the service.\n\nYou can also use this operation for user or role reports to retrieve details about those entities.", + "event_id": "GetServiceLastAccessedDetailsWithEntities", + "id": "x-mitre-sensor-mapping--982bef99-b48e-4b19-a792-2541ceaa769c", + "modified": "2023-10-27T20:54:33.916986Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.916986Z", + "id": "relationship--8d3472a8-a88c-48e3-b779-8f5f50c6d910", + "modified": "2023-10-27T20:54:33.916986Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fa47a8fd-06bc-401f-afcd-3c2bfd2981e3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.917988Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "Resets the password for a service-specific credential. The new password is AWS generated and cryptographically strong. It cannot be configured by the user. Resetting the password immediately invalidates the previous password associated with this user.", + "event_id": "ResetServiceSpecificCredential", + "id": "x-mitre-sensor-mapping--2d463d63-07cf-4d88-a7a0-241e86588af5", + "modified": "2023-10-27T20:54:33.917988Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.917988Z", + "id": "relationship--ececdf43-0f0f-465d-80f7-9e4359176890", + "modified": "2023-10-27T20:54:33.917988Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fa47a8fd-06bc-401f-afcd-3c2bfd2981e3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.917988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d8e74209-5fde-4d9b-9219-a9659aa4ad58", + "modified": "2023-10-27T20:54:33.917988Z", + "name": "Cloud Service Disable", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.918998Z", + "data_component": "Cloud Service Disable", + "data_source": "Cloud Service", + "description": "CloudTrail has stopped recording CloudTrail Events. This is a significant red flag and should almost always be avoided.", + "event_id": "StopLogging", + "id": "x-mitre-sensor-mapping--df7eb06b-6ddc-4ad4-9b29-d2c230972d8c", + "modified": "2023-10-27T20:54:33.918998Z", + "relationship": "Disabled", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0025" + }, + { + "created": "2023-10-27T20:54:33.918998Z", + "id": "relationship--49ef0ee9-50f5-48ef-9e51-cedeb9362626", + "modified": "2023-10-27T20:54:33.918998Z", + "relationship_type": "Disabled", + "revoked": false, + "source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d8e74209-5fde-4d9b-9219-a9659aa4ad58", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.919998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a6d9134e-e0bc-4412-9c2f-3738c1d3970d", + "modified": "2023-10-27T20:54:33.919998Z", + "name": "Cloud Service Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.919998Z", + "data_component": "Cloud Service Metadata", + "data_source": "Cloud Service", + "description": "Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours.", + "event_id": "GenerateServiceLastAccessedDetails", + "id": "x-mitre-sensor-mapping--fa7ecba0-776f-4b2b-86f6-70c64bbc6d7a", + "modified": "2023-10-27T20:54:33.919998Z", + "relationship": "Enumerate", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Service Report", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0025" + }, + { + "created": "2023-10-27T20:54:33.920998Z", + "id": "relationship--d5b266d2-b3c1-4bfc-a3d2-35911c0399e6", + "modified": "2023-10-27T20:54:33.920998Z", + "relationship_type": "Enumerate", + "revoked": false, + "source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a6d9134e-e0bc-4412-9c2f-3738c1d3970d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.920998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d4200521-f4c9-4f54-a730-224247675d3e", + "modified": "2023-10-27T20:54:33.920998Z", + "name": "Group Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.921985Z", + "data_component": "Group Access", + "data_source": "Group", + "description": "Returns a list of IAM users that are in the specified IAM group.", + "event_id": "GetGroup", + "id": "x-mitre-sensor-mapping--3072183b-9526-4e5f-87a0-a262a6978d65", + "modified": "2023-10-27T20:54:33.921985Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.921985Z", + "id": "relationship--2f9c65cf-9022-458b-b97f-fb696f3e57f0", + "modified": "2023-10-27T20:54:33.921985Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d4200521-f4c9-4f54-a730-224247675d3e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.662867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "modified": "2023-10-27T20:54:33.662867Z", + "name": "Group Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.923522Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "A new group has been created.", + "event_id": "CreateGroup", + "id": "x-mitre-sensor-mapping--de528f0e-b0b0-48d3-857b-42a071391308", + "modified": "2023-10-27T20:54:33.923522Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.924062Z", + "id": "relationship--a11a61d7-d9c6-4681-ae1b-7a0a05be6608", + "modified": "2023-10-27T20:54:33.924062Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.664867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "modified": "2023-10-27T20:54:33.664867Z", + "name": "Group Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.926425Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "An IAM group has been deleted. The group won't have contained any users or policies at time of deletion.", + "event_id": "DeleteGroup", + "id": "x-mitre-sensor-mapping--b5e08873-eed1-48b0-883c-a0f8f162cd73", + "modified": "2023-10-27T20:54:33.926425Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.927065Z", + "id": "relationship--43594ba1-7680-4b6b-9938-c666ebb891c1", + "modified": "2023-10-27T20:54:33.927065Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.927065Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "modified": "2023-10-27T20:54:33.927065Z", + "name": "Group Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.92806Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "Lists all managed policies that are attached to the specified IAM group.", + "event_id": "ListAttachedGroupPolicies", + "id": "x-mitre-sensor-mapping--8b54a763-ba6f-44fa-b503-dfa64a581955", + "modified": "2023-10-27T20:54:33.92806Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.92806Z", + "id": "relationship--b7740e38-a533-45bc-b309-4309440a2af9", + "modified": "2023-10-27T20:54:33.92806Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.92906Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "Lists the names of the inline policies that are embedded in the specified IAM group.", + "event_id": "ListGroupPolicies", + "id": "x-mitre-sensor-mapping--bd136bf4-0596-48cc-b71d-c36d9bbdb6c4", + "modified": "2023-10-27T20:54:33.92906Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.92906Z", + "id": "relationship--f6058f16-0a61-4def-b73c-62f8df9f1624", + "modified": "2023-10-27T20:54:33.92906Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.92906Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "Lists the IAM groups that have the specified path prefix.", + "event_id": "ListGroups", + "id": "x-mitre-sensor-mapping--fb8f340a-f878-4320-a221-4af53d18a095", + "modified": "2023-10-27T20:54:33.92906Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93006Z", + "id": "relationship--ecf880e2-75ed-405b-ae1f-f1e22b650f0f", + "modified": "2023-10-27T20:54:33.93006Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.93006Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "Lists the IAM groups that the specified IAM user belongs to.", + "event_id": "ListGroupsForUser", + "id": "x-mitre-sensor-mapping--a5eb11e3-f6fc-452c-8d9e-4c6dba0e0dee", + "modified": "2023-10-27T20:54:33.93006Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93106Z", + "id": "relationship--4560457d-5b6c-4369-8a07-1fb71ba216ee", + "modified": "2023-10-27T20:54:33.93106Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.93106Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "modified": "2023-10-27T20:54:33.93106Z", + "name": "Group Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.932061Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "An inline policy for an IAM group has been deleted.", + "event_id": "DeleteGroupPolicy", + "id": "x-mitre-sensor-mapping--453c2021-10f9-4de4-9f53-a4d429f57c94", + "modified": "2023-10-27T20:54:33.932061Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.932061Z", + "id": "relationship--64a6eb51-6482-49e5-8927-8fa051a04b4b", + "modified": "2023-10-27T20:54:33.932061Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.933048Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Removes the specified managed policy from the specified IAM group.", + "event_id": "DetachGroupPolicy", + "id": "x-mitre-sensor-mapping--60e9fcae-b1b7-4be3-acb4-6cde2b67d268", + "modified": "2023-10-27T20:54:33.933048Z", + "relationship": "Removed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.933048Z", + "id": "relationship--a6c5c4c2-7b57-4e75-b3d8-8f87bf022ebf", + "modified": "2023-10-27T20:54:33.933048Z", + "relationship_type": "Removed", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.93406Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Retrieves the specified inline policy document that is embedded in the specified IAM group.", + "event_id": "GetGroupPolicy", + "id": "x-mitre-sensor-mapping--b30f7e31-19dd-4d6a-b7d5-1c7fb0e92fce", + "modified": "2023-10-27T20:54:33.93406Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93406Z", + "id": "relationship--4b34f736-5208-4434-838d-f1e789b3aa18", + "modified": "2023-10-27T20:54:33.93406Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.93406Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Lists all IAM users, groups, and roles that the specified managed policy is attached to.", + "event_id": "ListEntitiesForPolicy", + "id": "x-mitre-sensor-mapping--05cca61b-05ff-4679-a2a6-7921a9c56025", + "modified": "2023-10-27T20:54:33.93406Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.935048Z", + "id": "relationship--9578962a-7660-45fb-befd-c0ec56a6a719", + "modified": "2023-10-27T20:54:33.935048Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.935048Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service.\n\nThe list of policies returned by the operation depends on the ARN of the identity that you provide.", + "event_id": "ListPoliciesGrantingServiceAccess", + "id": "x-mitre-sensor-mapping--8c90374a-e7e6-4d58-97e4-7e1ae1b4497d", + "modified": "2023-10-27T20:54:33.935048Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.936061Z", + "id": "relationship--c14e09ca-86b0-488e-8ffc-8d71c28fa5f5", + "modified": "2023-10-27T20:54:33.936061Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.936061Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "A policy for an IAM group has been added or updated.", + "event_id": "PutGroupPolicy", + "id": "x-mitre-sensor-mapping--856db6f5-e007-4ed4-a4e6-e87889d8e249", + "modified": "2023-10-27T20:54:33.936061Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93706Z", + "id": "relationship--f0f0417d-cc3d-4538-9760-ce4daa70c592", + "modified": "2023-10-27T20:54:33.93706Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.93706Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM group.", + "event_id": "PutGroupPolicy", + "id": "x-mitre-sensor-mapping--4229cf66-27dc-4778-bd40-e6a016e749c2", + "modified": "2023-10-27T20:54:33.93706Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.938061Z", + "id": "relationship--f1eeba65-ba9d-4bf9-bcfc-6d5551dcf978", + "modified": "2023-10-27T20:54:33.938061Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.938061Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.", + "event_id": "GetContextKeysForPrincipalPolicy", + "id": "x-mitre-sensor-mapping--ca9385de-4ce9-4b00-8a30-664a78ef1b3c", + "modified": "2023-10-27T20:54:33.938061Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93906Z", + "id": "relationship--5498e762-1f70-4697-830e-3a7ee665b660", + "modified": "2023-10-27T20:54:33.93906Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.940158Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "modified": "2023-10-27T20:54:33.940158Z", + "name": "Group Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.942064Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A user has been added to a group.", + "event_id": "AddUserToGroup", + "id": "x-mitre-sensor-mapping--c7bc512c-2379-406b-8772-bf681e90c50b", + "modified": "2023-10-27T20:54:33.942064Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.942064Z", + "id": "relationship--f77c0889-5a42-4986-b14f-7a1aaebc398a", + "modified": "2023-10-27T20:54:33.942064Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.943595Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A managed policy has been added to an IAM group.", + "event_id": "AttachGroupPolicy", + "id": "x-mitre-sensor-mapping--ce306246-b7f5-4b39-87e9-bb2af0322d88", + "modified": "2023-10-27T20:54:33.943595Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.944141Z", + "id": "relationship--8e8e146c-ee9b-438b-ae47-1061b81dd982", + "modified": "2023-10-27T20:54:33.944141Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.944141Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A user has been removed from an IAM group.", + "event_id": "RemoveUserFromGroup", + "id": "x-mitre-sensor-mapping--27b3e68a-be33-4bf4-b058-7546532f2c8b", + "modified": "2023-10-27T20:54:33.944141Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.945128Z", + "id": "relationship--efdbd142-d7a8-44a4-b8e1-378d8572edb6", + "modified": "2023-10-27T20:54:33.945128Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.945128Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "Updates the name and/or the path of the specified IAM group.", + "event_id": "UpdateGroup", + "id": "x-mitre-sensor-mapping--dc43677b-382d-4d31-9537-cc27ba8dbc5e", + "modified": "2023-10-27T20:54:33.945128Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.946214Z", + "id": "relationship--21e27b97-b9a1-48fe-b3f6-47117c5ec76c", + "modified": "2023-10-27T20:54:33.946214Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.946214Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--9e1ca964-bfba-4c03-aae8-b7914a9e3a97", + "modified": "2023-10-27T20:54:33.946214Z", + "name": "Image Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.94713Z", + "data_component": "Image Creation", + "data_source": "Image", + "description": "Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.", + "event_id": "CreateImage", + "id": "x-mitre-sensor-mapping--8e2c9916-784f-4ed2-94cb-e2dcdc423067", + "modified": "2023-10-27T20:54:33.94713Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Amazon Machine Image(Ami)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0007" + }, + { + "created": "2023-10-27T20:54:33.948128Z", + "id": "relationship--b88f249f-9b1c-414c-a8d2-4023f70cab61", + "modified": "2023-10-27T20:54:33.948128Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9e1ca964-bfba-4c03-aae8-b7914a9e3a97", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.948128Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2fd7e00a-f33a-4ae8-bf98-d75aec1b1b75", + "modified": "2023-10-27T20:54:33.948128Z", + "name": "Image Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.949134Z", + "data_component": "Image Modification", + "data_source": "Image", + "description": "Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time.", + "event_id": "ModifyImageAttribute", + "id": "x-mitre-sensor-mapping--a3767bbe-bbe0-423b-b277-49fad2a3d678", + "modified": "2023-10-27T20:54:33.949134Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Image", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0007" + }, + { + "created": "2023-10-27T20:54:33.950131Z", + "id": "relationship--db05f79d-a271-4ea5-83ee-ccafc7ac122c", + "modified": "2023-10-27T20:54:33.950131Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2fd7e00a-f33a-4ae8-bf98-d75aec1b1b75", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.950131Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "modified": "2023-10-27T20:54:33.950131Z", + "name": "Instance Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.951131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile.", + "event_id": "AddRoleToInstanceProfile", + "id": "x-mitre-sensor-mapping--885bfc14-f96a-4bf4-92ed-0d39eae08834", + "modified": "2023-10-27T20:54:33.951131Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.952138Z", + "id": "relationship--52162e3b-04f8-4c77-a645-690f23661c7b", + "modified": "2023-10-27T20:54:33.952138Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.953131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Creates a new instance profile.", + "event_id": "CreateInstanceProfile", + "id": "x-mitre-sensor-mapping--17d27b9f-66be-448b-b1ab-e32f4528a60d", + "modified": "2023-10-27T20:54:33.953131Z", + "relationship": "Create", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.953131Z", + "id": "relationship--e3904b86-6237-49a0-8e7e-6a555753de6c", + "modified": "2023-10-27T20:54:33.953131Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.954131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Deletes the specified instance profile. The instance profile must not have an associated role.", + "event_id": "DeleteInstanceProfile", + "id": "x-mitre-sensor-mapping--6ab3f3fc-84c8-43dc-9cbe-f44e628619ff", + "modified": "2023-10-27T20:54:33.954131Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.955128Z", + "id": "relationship--bff36c51-9a61-460d-908c-ff6d53dc2dfe", + "modified": "2023-10-27T20:54:33.955128Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.956127Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role.", + "event_id": "GetInstanceProfile", + "id": "x-mitre-sensor-mapping--517b3f90-071c-4f16-83e8-f1f1443a2b47", + "modified": "2023-10-27T20:54:33.956127Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.957136Z", + "id": "relationship--1e343448-7269-4291-97cc-2a5e011e6b6f", + "modified": "2023-10-27T20:54:33.957136Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.958127Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.", + "event_id": "ListInstanceProfiles", + "id": "x-mitre-sensor-mapping--d0d0dc7e-c3ab-4587-8d81-910141f2122d", + "modified": "2023-10-27T20:54:33.958127Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.959127Z", + "id": "relationship--857c24c6-6cc4-454d-84ed-1fbebd174d09", + "modified": "2023-10-27T20:54:33.959127Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.960127Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Lists the instance profiles that have the specified associated IAM role. If there are none, the operation returns an empty list.", + "event_id": "ListInstanceProfilesForRole", + "id": "x-mitre-sensor-mapping--ba66091c-f900-4ae3-aee9-0ec9905b4ed1", + "modified": "2023-10-27T20:54:33.960127Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.961133Z", + "id": "relationship--8c5a0c97-d816-4665-b33b-032a9332e822", + "modified": "2023-10-27T20:54:33.961133Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.962131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key.", + "event_id": "ListInstanceProfileTags", + "id": "x-mitre-sensor-mapping--b9b198e8-3cb8-4b6f-82d4-edb2fd4e29ab", + "modified": "2023-10-27T20:54:33.962131Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.963133Z", + "id": "relationship--71456e01-53f4-447f-961b-095d4eba4c21", + "modified": "2023-10-27T20:54:33.963133Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.964133Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "An IAM role has been removed from an EC2 instance profile.", + "event_id": "RemoveRoleFromInstanceProfile", + "id": "x-mitre-sensor-mapping--f518d0c0-dd2b-4889-86ac-3946ff578e3b", + "modified": "2023-10-27T20:54:33.964133Z", + "relationship": "Removed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.964133Z", + "id": "relationship--b24a7ef0-cf7e-4f34-bbb0-759aee4be9fd", + "modified": "2023-10-27T20:54:33.964133Z", + "relationship_type": "Removed", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.965131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Adds one or more tags to an IAM instance profile. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagInstanceProfile", + "id": "x-mitre-sensor-mapping--ca4dcefc-f182-4e82-b277-f0116818b41d", + "modified": "2023-10-27T20:54:33.965131Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.965131Z", + "id": "relationship--1f77f944-253b-420c-a7b8-73db508edb73", + "modified": "2023-10-27T20:54:33.965131Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.966128Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Removes the specified tags from the IAM instance profile.", + "event_id": "UntagInstanceProfile", + "id": "x-mitre-sensor-mapping--f9fba9a1-af87-4760-8d1d-846157c02f18", + "modified": "2023-10-27T20:54:33.966128Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.966128Z", + "id": "relationship--ada8e211-53ef-48d2-8e43-277705b92052", + "modified": "2023-10-27T20:54:33.966128Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.967128Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3ee04f41-a5f8-4a78-a738-8876217101bf", + "modified": "2023-10-27T20:54:33.967128Z", + "name": "Instance Start", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.967128Z", + "data_component": "Instance Start", + "data_source": "Instance", + "description": "An Instance has been launched. From the associated metadata you’ll be able to determine who the owner is, what regions the resources are in, the InstanceType and more.", + "event_id": "RunInstances", + "id": "x-mitre-sensor-mapping--6c14ec55-662f-4a63-93f9-d73fbea1d442", + "modified": "2023-10-27T20:54:33.967128Z", + "relationship": "Creates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.968128Z", + "id": "relationship--dbeacd2e-b965-4d61-afb1-feb5ef925350", + "modified": "2023-10-27T20:54:33.968128Z", + "relationship_type": "Creates", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3ee04f41-a5f8-4a78-a738-8876217101bf", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.968128Z", + "data_component": "Instance Start", + "data_source": "Instance", + "description": "An instance has been started. Similar metadata to RunInstances will give you an insight into more detail.", + "event_id": "StartInstances", + "id": "x-mitre-sensor-mapping--32d72d8e-3515-4236-bd7a-50f450bea824", + "modified": "2023-10-27T20:54:33.968128Z", + "relationship": "Started", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.969128Z", + "id": "relationship--2f30c022-aaaf-4592-8c4c-9c0f814a706c", + "modified": "2023-10-27T20:54:33.969128Z", + "relationship_type": "Started", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3ee04f41-a5f8-4a78-a738-8876217101bf", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.969128Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--c893f813-bc12-4bad-935a-baa01bf797b4", + "modified": "2023-10-27T20:54:33.969128Z", + "name": "Instance Stop", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.970128Z", + "data_component": "Instance Stop", + "data_source": "Instance", + "description": "Stops an Amazon EBS-backed instance.\nSimilar to StartInstances and RunInstances.", + "event_id": "StopInstances", + "id": "x-mitre-sensor-mapping--ad8da69b-d4a5-4c0a-bef2-28db88662aa7", + "modified": "2023-10-27T20:54:33.970128Z", + "relationship": "Stopped", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.970128Z", + "id": "relationship--80893936-0321-4761-aafe-449e61198973", + "modified": "2023-10-27T20:54:33.970128Z", + "relationship_type": "Stopped", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c893f813-bc12-4bad-935a-baa01bf797b4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.668869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "modified": "2023-10-27T20:54:33.668869Z", + "name": "Logon Session Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.971129Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "A user has signed into AWS Management Console. That user could be an account owner, a federated user or an IAM user.", + "event_id": "ConsoleLogin", + "id": "x-mitre-sensor-mapping--cc33d6b4-d7dd-49cf-8b14-1564c78c1340", + "modified": "2023-10-27T20:54:33.971129Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.971129Z", + "id": "relationship--fe185e0e-70a8-416f-9d99-1731c1e363b6", + "modified": "2023-10-27T20:54:33.971129Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.974135Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0c409d14-271d-4c75-b1f0-2be860c252f7", + "modified": "2023-10-27T20:54:33.974135Z", + "name": "Snapshot Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.975137Z", + "data_component": "Snapshot Creation", + "data_source": "Snapshot", + "description": "Creates a snapshot of an EBS volume and stores it in Amazon S3.", + "event_id": "CreateSnapshot", + "id": "x-mitre-sensor-mapping--c6e8d83f-56b9-4d64-9dce-32c0379938ea", + "modified": "2023-10-27T20:54:33.975137Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Snapshot", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0020" + }, + { + "created": "2023-10-27T20:54:33.976135Z", + "id": "relationship--93c5c405-fb07-4649-953b-01b496423ffc", + "modified": "2023-10-27T20:54:33.976135Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c409d14-271d-4c75-b1f0-2be860c252f7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.977489Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e2b8730b-ffe0-4033-a424-c70fced54b0b", + "modified": "2023-10-27T20:54:33.977489Z", + "name": "Snapshot Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.978131Z", + "data_component": "Snapshot Deletion", + "data_source": "Snapshot", + "description": "Deletes the specified snapshot.", + "event_id": "DeleteSnapshot", + "id": "x-mitre-sensor-mapping--b00917cb-6859-4d7b-aa5c-e350b27d7635", + "modified": "2023-10-27T20:54:33.978131Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Snapshot", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0020" + }, + { + "created": "2023-10-27T20:54:33.979145Z", + "id": "relationship--7c949ca9-e2b4-4990-b988-704bf1918745", + "modified": "2023-10-27T20:54:33.979145Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e2b8730b-ffe0-4033-a424-c70fced54b0b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.979145Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ab0cc187-152c-4ce7-ab29-8ab97bafd3a3", + "modified": "2023-10-27T20:54:33.979145Z", + "name": "Snapshot Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.980131Z", + "data_component": "Snapshot Modification", + "data_source": "Snapshot", + "description": "Adds or removes permission settings for the specified snapshot. You may add or remove specified AWS account IDs from a snapshot's list of create volume permissions, but you cannot do both in a single operation.", + "event_id": "ModifySnapshotAttribute", + "id": "x-mitre-sensor-mapping--89b21aa3-7548-4b23-974a-5592a129ce95", + "modified": "2023-10-27T20:54:33.980131Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Snapshot", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0020" + }, + { + "created": "2023-10-27T20:54:33.982133Z", + "id": "relationship--d889953e-9ab6-4a99-b078-bb44ded20c97", + "modified": "2023-10-27T20:54:33.982133Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ab0cc187-152c-4ce7-ab29-8ab97bafd3a3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.72287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "modified": "2023-10-27T20:54:33.72287Z", + "name": "User Account Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.983138Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Retrieves information about IAM entity usage and IAM quotas in the AWS account.", + "event_id": "GetAccountSummary", + "id": "x-mitre-sensor-mapping--b43445b5-6f26-41a4-aa0e-cd0a41004d53", + "modified": "2023-10-27T20:54:33.983138Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.983138Z", + "id": "relationship--6adcb8d8-1943-463d-bfb0-4b26686eadfb", + "modified": "2023-10-27T20:54:33.983138Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.984134Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Retrieves the specified SSH public key, including metadata about the key.\n\nThe SSH public key retrieved by this operation is used only for authenticating the associated IAM user to an CodeCommit repository.", + "event_id": "GetSSHPublicKey", + "id": "x-mitre-sensor-mapping--1d5448b1-e06a-4817-86f6-e675bee7df89", + "modified": "2023-10-27T20:54:33.984134Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Ssh Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.985131Z", + "id": "relationship--29e6ecfe-7a49-488e-9a04-ea8126340d36", + "modified": "2023-10-27T20:54:33.985131Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.986344Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.", + "event_id": "GetUser", + "id": "x-mitre-sensor-mapping--98defa73-fe3c-42ce-b077-6d8010fce0e2", + "modified": "2023-10-27T20:54:33.986344Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.987136Z", + "id": "relationship--33b4856c-fc23-4a86-94a2-a9cbe210f276", + "modified": "2023-10-27T20:54:33.987136Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.726922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "modified": "2023-10-27T20:54:33.726922Z", + "name": "User Account Authentication", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.991134Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user.", + "event_id": "CreateVirtualMFADevice", + "id": "x-mitre-sensor-mapping--a8914d08-ee9a-40a0-840c-b4ed9bfa13a6", + "modified": "2023-10-27T20:54:33.991134Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.991134Z", + "id": "relationship--fe5de009-c585-47e4-aeb8-80f5ed7579c2", + "modified": "2023-10-27T20:54:33.991134Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.993133Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.", + "event_id": "DeactivateMFADevice", + "id": "x-mitre-sensor-mapping--d9bf8e04-85c3-4f17-8a16-f2758148e5aa", + "modified": "2023-10-27T20:54:33.993133Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.994136Z", + "id": "relationship--ad761105-812c-474f-84e1-0dcdcb88b545", + "modified": "2023-10-27T20:54:33.994136Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.994136Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Deletes a virtual MFA device.", + "event_id": "DeleteVirtualMFADevice", + "id": "x-mitre-sensor-mapping--03492cfb-d8bc-4418-b019-e86f040df8a9", + "modified": "2023-10-27T20:54:33.994136Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.995134Z", + "id": "relationship--71e1dc0d-2680-4a45-b74f-831d8ca9746f", + "modified": "2023-10-27T20:54:33.995134Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.99615Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Enables the specified MFA device and associates it with the specified IAM user. When enabled, the MFA device is required for every subsequent login by the IAM user associated with the device.", + "event_id": "EnableMFADevice", + "id": "x-mitre-sensor-mapping--ad8494cf-d381-42d8-a5c9-3b717a4f2d6c", + "modified": "2023-10-27T20:54:33.99615Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.997141Z", + "id": "relationship--506fb270-35f3-4a83-b255-49bd7c6bf724", + "modified": "2023-10-27T20:54:33.997141Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.998137Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Retrieves information about an MFA device for a specified user.", + "event_id": "GetMFADevice", + "id": "x-mitre-sensor-mapping--b733a6b2-d18a-44f3-b7b6-089be13eed9e", + "modified": "2023-10-27T20:54:33.998137Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.998137Z", + "id": "relationship--0b5b6e04-7e6b-4077-a303-42706307d880", + "modified": "2023-10-27T20:54:33.998137Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.999131Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Lists the MFA devices for an IAM user. If the request includes a IAM user name, then this operation lists all the MFA devices associated with the specified user.\n\nIf you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request for this operation.", + "event_id": "ListMFADevices", + "id": "x-mitre-sensor-mapping--9f2a9235-ba55-43a3-bfca-6ff7ecec8ebc", + "modified": "2023-10-27T20:54:33.999131Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.999131Z", + "id": "relationship--8086027e-265b-4348-8d94-03ea6a279429", + "modified": "2023-10-27T20:54:33.999131Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.000129Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is sorted by tag key.", + "event_id": "ListMFADeviceTags", + "id": "x-mitre-sensor-mapping--85963163-3fa8-4278-b540-985af695c398", + "modified": "2023-10-27T20:54:34.000129Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.000129Z", + "id": "relationship--ac215266-652a-4942-82e7-4ecd5a841560", + "modified": "2023-10-27T20:54:34.000129Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.001128Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Lists the virtual MFA devices defined in the AWS account by assignment status. If you do not specify an assignment status, the operation returns a list of all virtual MFA devices.", + "event_id": "ListVirtualMFADevices", + "id": "x-mitre-sensor-mapping--3367ea67-fb56-4546-8eca-0dceff722108", + "modified": "2023-10-27T20:54:34.001128Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.002133Z", + "id": "relationship--3f570e41-0808-4d16-a856-bc82b818fc05", + "modified": "2023-10-27T20:54:34.002133Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.002133Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Synchronizes the specified MFA device with its IAM resource object on the AWS servers.", + "event_id": "ResyncMFADevice", + "id": "x-mitre-sensor-mapping--7a523993-fdec-450f-99aa-d68cd4e7a516", + "modified": "2023-10-27T20:54:34.002133Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.003132Z", + "id": "relationship--f162351e-b452-400a-85a1-6fb90bde9edc", + "modified": "2023-10-27T20:54:34.003132Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.004129Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagMFADevice", + "id": "x-mitre-sensor-mapping--1c74ab35-fa79-42da-8487-b188574ba5da", + "modified": "2023-10-27T20:54:34.004129Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.005128Z", + "id": "relationship--4c5802d5-1ce5-4e55-bdbe-5c83afa061b2", + "modified": "2023-10-27T20:54:34.005128Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.005128Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Removes the specified tags from the IAM virtual multi-factor authentication (MFA) device.", + "event_id": "UntagMFADevice", + "id": "x-mitre-sensor-mapping--79c1bfa4-9722-4cce-98da-cdd994e269ca", + "modified": "2023-10-27T20:54:34.005128Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.006344Z", + "id": "relationship--db891c6c-0954-45a1-b2a8-8c5501ed7b5c", + "modified": "2023-10-27T20:54:34.006344Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.739931Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "modified": "2023-10-27T20:54:33.739931Z", + "name": "User Account Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.008134Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "A new IAM user has been created for an AWS account.", + "event_id": "CreateUser", + "id": "x-mitre-sensor-mapping--a65f6a88-1402-4bb1-8ed5-e1a87206c932", + "modified": "2023-10-27T20:54:34.008134Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.008134Z", + "id": "relationship--48bc6b35-76ea-4ba6-bb9a-caeb606c8569", + "modified": "2023-10-27T20:54:34.008134Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.743925Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "modified": "2023-10-27T20:54:33.743925Z", + "name": "User Account Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.010134Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "A user has been deleted.", + "event_id": "DeleteUser", + "id": "x-mitre-sensor-mapping--0114a8a0-965c-4677-8a55-f544877de45e", + "modified": "2023-10-27T20:54:34.010134Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.011134Z", + "id": "relationship--5633bc8c-9ab0-4893-8d6e-f1c7708cec9b", + "modified": "2023-10-27T20:54:34.011134Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.011134Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "modified": "2023-10-27T20:54:34.011134Z", + "name": "User Account Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.012131Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Returns information about the access key IDs associated with the specified IAM user. If there is none, the operation returns an empty list.", + "event_id": "ListAccessKeys", + "id": "x-mitre-sensor-mapping--a7e0a374-54f5-432b-9485-d724bc979027", + "modified": "2023-10-27T20:54:34.012131Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Access Keys", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.012131Z", + "id": "relationship--983ee6ad-feaa-485d-b525-c7ec7b903747", + "modified": "2023-10-27T20:54:34.012131Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.013135Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists the account alias associated with the AWS account (Note: you can have only one).", + "event_id": "ListAccountAliases", + "id": "x-mitre-sensor-mapping--372a76d2-93b6-44e6-a669-18bc142cd24d", + "modified": "2023-10-27T20:54:34.013135Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.014133Z", + "id": "relationship--7b2d6bf5-b1de-47cc-b1eb-d69d5f00e9ba", + "modified": "2023-10-27T20:54:34.014133Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.014133Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists all managed policies that are attached to the specified IAM user.", + "event_id": "ListAttachedUserPolicies", + "id": "x-mitre-sensor-mapping--c42abfd4-9f46-4df2-a245-63e241c1a40e", + "modified": "2023-10-27T20:54:34.014133Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.015131Z", + "id": "relationship--23f3baef-8f88-4f8f-88c0-79470820d839", + "modified": "2023-10-27T20:54:34.015131Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.016244Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies.", + "event_id": "ListPolicies", + "id": "x-mitre-sensor-mapping--a3174459-87d8-4eb0-8c90-7d646a2d13f7", + "modified": "2023-10-27T20:54:34.016244Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.016244Z", + "id": "relationship--b1e5c7c7-2450-4b6d-acdf-3ed53d7670b6", + "modified": "2023-10-27T20:54:34.016244Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.01713Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Returns information about the service-specific credentials associated with the specified IAM user. If none exists, the operation returns an empty list. The service-specific credentials returned by this operation are used only for authenticating the IAM user to a specific service.", + "event_id": "ListServiceSpecificCredentials", + "id": "x-mitre-sensor-mapping--d0b5f7e8-9833-47f0-8e7f-a404384c7607", + "modified": "2023-10-27T20:54:34.01713Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.01713Z", + "id": "relationship--8ab88f05-8c54-47d8-813c-ad571714f13c", + "modified": "2023-10-27T20:54:34.01713Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.018133Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Returns information about the signing certificates associated with the specified IAM user. If none exists, the operation returns an empty list.", + "event_id": "ListSigningCertificates", + "id": "x-mitre-sensor-mapping--3198219e-60dc-4c5a-85b8-9999f43b26ce", + "modified": "2023-10-27T20:54:34.018133Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.018133Z", + "id": "relationship--6403efe8-eb67-4e37-b1d0-d657ce06d5d6", + "modified": "2023-10-27T20:54:34.018133Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.019133Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Returns information about the SSH public keys associated with the specified IAM user. If none exists, the operation returns an empty list.", + "event_id": "ListSSHPublicKeys", + "id": "x-mitre-sensor-mapping--0ea29002-5f3f-45bd-84bf-bdd566c3b052", + "modified": "2023-10-27T20:54:34.019133Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Ssh Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.019133Z", + "id": "relationship--caaa0f98-9a83-450b-8cb6-2740c959b40c", + "modified": "2023-10-27T20:54:34.019133Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.020138Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists the names of the inline policies embedded in the specified IAM user.", + "event_id": "ListUserPolicies", + "id": "x-mitre-sensor-mapping--56ee3cb6-8a25-4ec4-9d34-c55da160fa74", + "modified": "2023-10-27T20:54:34.020138Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.021133Z", + "id": "relationship--88083844-00c5-44d4-b41e-200c220e5d59", + "modified": "2023-10-27T20:54:34.021133Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.022136Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.", + "event_id": "ListUsers", + "id": "x-mitre-sensor-mapping--2bdba96c-f947-469f-9f1c-2ed566bd2421", + "modified": "2023-10-27T20:54:34.022136Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.022136Z", + "id": "relationship--0a925b02-c2e9-4606-8d26-419ee95e329f", + "modified": "2023-10-27T20:54:34.022136Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.023692Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists the tags that are attached to the specified IAM user. The returned list of tags is sorted by tag key.", + "event_id": "ListUserTags", + "id": "x-mitre-sensor-mapping--fd61a3bd-76d7-4f4b-b351-fc80902359db", + "modified": "2023-10-27T20:54:34.023692Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.025666Z", + "id": "relationship--784567aa-d4f9-4436-adc6-b74912129738", + "modified": "2023-10-27T20:54:34.025666Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.757924Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "modified": "2023-10-27T20:54:33.757924Z", + "name": "User Account Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.026661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state.", + "event_id": "CreateServiceLinkedRole", + "id": "x-mitre-sensor-mapping--a96c6fd0-777d-4b92-b777-88f9c77a79a3", + "modified": "2023-10-27T20:54:34.026661Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.02766Z", + "id": "relationship--7525f623-7d6c-474c-947c-1685540c7ff8", + "modified": "2023-10-27T20:54:34.02766Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.02766Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request. These credentials are generated by IAM, and can be used only for the specified service.\n\nYou can have a maximum of two sets of service-specific credentials for each supported service per user.", + "event_id": "CreateServiceSpecificCredential", + "id": "x-mitre-sensor-mapping--e17d16a2-2bbe-41e4-b4df-2b77f660035f", + "modified": "2023-10-27T20:54:34.02766Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.028663Z", + "id": "relationship--4a173c01-4f5d-439d-bf62-8ee9a154e9a9", + "modified": "2023-10-27T20:54:34.028663Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.029668Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An access key pair for an IAM user has been deleted.", + "event_id": "DeleteAccessKey", + "id": "x-mitre-sensor-mapping--9ba16ecf-1117-42b9-865d-9b384bcb2891", + "modified": "2023-10-27T20:54:34.029668Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Access Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.029668Z", + "id": "relationship--2c322cc4-c3c9-4009-a018-98bcc25e90fe", + "modified": "2023-10-27T20:54:34.029668Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.030662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An AWS account alias has been deleted.", + "event_id": "DeleteAccountAlias", + "id": "x-mitre-sensor-mapping--8946e2d8-ff55-43a1-9ff8-6f355604a156", + "modified": "2023-10-27T20:54:34.030662Z", + "relationship": "Delete", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account Alias", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.031662Z", + "id": "relationship--9554cc82-d5fb-4466-b584-4cede87ed340", + "modified": "2023-10-27T20:54:34.031662Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.032662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A password policy for an account has been deleted.", + "event_id": "DeleteAccountPasswordPolicy", + "id": "x-mitre-sensor-mapping--e5183f8c-138d-434d-a3ef-893be870b2ae", + "modified": "2023-10-27T20:54:34.032662Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.032662Z", + "id": "relationship--67f53d5f-db55-408a-84c4-744bd1b2426c", + "modified": "2023-10-27T20:54:34.032662Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.033663Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A password for an IAM user has been deleted thus removing that user's ability to access services through the console.", + "event_id": "DeleteLoginProfile", + "id": "x-mitre-sensor-mapping--7727209d-e021-492c-b2e5-2e4438cb49dc", + "modified": "2023-10-27T20:54:34.033663Z", + "relationship": "Delete", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.034663Z", + "id": "relationship--c8907601-ae22-488e-8100-91d480d949c7", + "modified": "2023-10-27T20:54:34.034663Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.034663Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A version of a policy has been deleted.", + "event_id": "DeletePolicyVersion", + "id": "x-mitre-sensor-mapping--ae801602-b8e7-472f-b556-c4e284829862", + "modified": "2023-10-27T20:54:34.034663Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.036698Z", + "id": "relationship--72ebe420-d732-444f-b79f-06e041971a54", + "modified": "2023-10-27T20:54:34.036698Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.037665Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A role has been deleted. The role will not have had any policies attached if it was able to be deleted.", + "event_id": "DeleteRole", + "id": "x-mitre-sensor-mapping--0914a597-ae5f-4a7c-aa28-0e143e839557", + "modified": "2023-10-27T20:54:34.037665Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.038665Z", + "id": "relationship--ff564cb8-7012-4483-9b6d-a65e8c227809", + "modified": "2023-10-27T20:54:34.038665Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.038665Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Deletes the permissions boundary for the specified IAM role.\n\nYou cannot set the boundary for a service-linked role.", + "event_id": "DeleteRolePermissionsBoundary", + "id": "x-mitre-sensor-mapping--c2426a73-e158-45af-bd09-691f0ac3dbac", + "modified": "2023-10-27T20:54:34.038665Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Permissions", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.039664Z", + "id": "relationship--368421c0-c7d5-4210-9a16-fa142e04bb82", + "modified": "2023-10-27T20:54:34.039664Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.040663Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An inline policy for an IAM role has been deleted.", + "event_id": "DeleteRolePolicy", + "id": "x-mitre-sensor-mapping--ff5608bb-fa99-4e75-9de0-f51246e12d2c", + "modified": "2023-10-27T20:54:34.040663Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.041662Z", + "id": "relationship--e2933c14-aaa5-4c0e-8e94-a63fd235b226", + "modified": "2023-10-27T20:54:34.041662Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.041662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Deletes the specified service-specific credential.", + "event_id": "DeleteServiceSpecificCredential", + "id": "x-mitre-sensor-mapping--41b562dd-7c29-4bf2-a6c1-f8dff32ce151", + "modified": "2023-10-27T20:54:34.041662Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.042661Z", + "id": "relationship--34eac9cf-bf9a-429d-9446-d2f50ed70c9a", + "modified": "2023-10-27T20:54:34.042661Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.043661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A signing certificate has been deleted.", + "event_id": "DeleteSigningCertificate", + "id": "x-mitre-sensor-mapping--61241a64-f97b-41f2-a608-94ed02a47f0d", + "modified": "2023-10-27T20:54:34.043661Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.043661Z", + "id": "relationship--4661a7cb-90a7-4ae3-a6f4-0c40f03c440d", + "modified": "2023-10-27T20:54:34.043661Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.044662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An SSH public key has been deleted.\n\nThe SSH public key deleted by this operation is used only for authenticating the associated IAM user to an CodeCommit repository.", + "event_id": "DeleteSSHPublicKey", + "id": "x-mitre-sensor-mapping--4dd3e9f5-03fe-43e2-909d-7061250f12f6", + "modified": "2023-10-27T20:54:34.044662Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Public Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.044662Z", + "id": "relationship--6b0659b9-a889-4a63-8ada-5c0f88314f37", + "modified": "2023-10-27T20:54:34.044662Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.045754Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Deletes the permissions boundary for the specified IAM user.", + "event_id": "DeleteUserPermissionsBoundary", + "id": "x-mitre-sensor-mapping--95f9b6d1-38bc-4a02-a5d0-11a3eca5c9ad", + "modified": "2023-10-27T20:54:34.045754Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Permissions", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.04666Z", + "id": "relationship--a072f5f8-63f4-4dee-b037-bc8dfedb2a5f", + "modified": "2023-10-27T20:54:34.04666Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.04666Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An inline policy for an IAM user has been deleted.", + "event_id": "DeleteUserPolicy", + "id": "x-mitre-sensor-mapping--d6724e61-fe89-40de-b7fb-4c471c49cf5e", + "modified": "2023-10-27T20:54:34.04666Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.047661Z", + "id": "relationship--e5e858b5-5e2c-4c3e-86a5-5bd92ca77c28", + "modified": "2023-10-27T20:54:34.047661Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.047661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A managed policy has been removed from a role.", + "event_id": "DetachRolePolicy", + "id": "x-mitre-sensor-mapping--4e1f93d0-b753-4a68-882c-02ddd3465f10", + "modified": "2023-10-27T20:54:34.047661Z", + "relationship": "Removed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.04867Z", + "id": "relationship--e68cfca1-c10c-451f-a813-d7b83c2d9a89", + "modified": "2023-10-27T20:54:34.04867Z", + "relationship_type": "Removed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.04966Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A managed policy has been removed from a user.", + "event_id": "DetachUserPolicy", + "id": "x-mitre-sensor-mapping--965d11e3-ead6-4194-902e-a40a5f27988a", + "modified": "2023-10-27T20:54:34.04966Z", + "relationship": "Removed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.04966Z", + "id": "relationship--577f4ee9-4774-4e77-87a6-a1752c011f2e", + "modified": "2023-10-27T20:54:34.04966Z", + "relationship_type": "Removed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.050659Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves a credential report for the AWS account.", + "event_id": "GenerateCredentialReport", + "id": "x-mitre-sensor-mapping--a8161083-2f59-4975-977d-466f619480b3", + "modified": "2023-10-27T20:54:34.050659Z", + "relationship": "Enumerate", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.050659Z", + "id": "relationship--e89f5cef-c295-4c3e-b236-ee57c048b11a", + "modified": "2023-10-27T20:54:34.050659Z", + "relationship_type": "Enumerate", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.051659Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves a credential report for the AWS account.", + "event_id": "GetCredentialReport", + "id": "x-mitre-sensor-mapping--277dce9f-bf33-4e3d-9217-5babf2042d3a", + "modified": "2023-10-27T20:54:34.051659Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.05266Z", + "id": "relationship--4cd7ed89-51bb-42c2-967d-58daad0b635c", + "modified": "2023-10-27T20:54:34.05266Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.053664Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists the names of the inline policies that are embedded in the specified IAM role.", + "event_id": "ListRolePolicies", + "id": "x-mitre-sensor-mapping--7611c64c-d1e9-4aff-bf58-ec116b25b0be", + "modified": "2023-10-27T20:54:34.053664Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.053664Z", + "id": "relationship--110daf3a-044e-4b38-bbc7-4ef56a9b8c3e", + "modified": "2023-10-27T20:54:34.053664Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.054662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list.", + "event_id": "ListRoles", + "id": "x-mitre-sensor-mapping--5251ff50-9d4a-4244-a38b-cfe5cfa928d1", + "modified": "2023-10-27T20:54:34.054662Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.055662Z", + "id": "relationship--8c00b5ee-dd72-4d17-90e8-4caded784f03", + "modified": "2023-10-27T20:54:34.055662Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.055662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists the tags that are attached to the specified role. The returned list of tags is sorted by tag key.", + "event_id": "ListRoleTags", + "id": "x-mitre-sensor-mapping--943d08fb-85f8-48b3-8f42-35cee656789b", + "modified": "2023-10-27T20:54:34.055662Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.056661Z", + "id": "relationship--7aed3acd-d8d5-4c29-899c-3ecae83822ec", + "modified": "2023-10-27T20:54:34.056661Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.057663Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds or updates the policy that is specified as the IAM role's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a role. Use the boundary to control the maximum permissions that the role can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the role.", + "event_id": "PutRolePermissionsBoundary", + "id": "x-mitre-sensor-mapping--603037ed-30cd-48e3-b6e9-330e9fe9319c", + "modified": "2023-10-27T20:54:34.057663Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.058662Z", + "id": "relationship--df746c24-581f-465f-9d6b-1dc3ab986094", + "modified": "2023-10-27T20:54:34.058662Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.058662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A policy for an IAM role has been added or updated.", + "event_id": "PutRolePolicy", + "id": "x-mitre-sensor-mapping--be7f68f1-beda-47e3-afca-86f1f1473a9e", + "modified": "2023-10-27T20:54:34.058662Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.059661Z", + "id": "relationship--478e826a-f717-4453-9c2e-ebb562aea559", + "modified": "2023-10-27T20:54:34.059661Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.059661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM role.", + "event_id": "PutRolePolicy", + "id": "x-mitre-sensor-mapping--0b1381fc-cf8d-46ca-90ad-a6a1926dcdfa", + "modified": "2023-10-27T20:54:34.059661Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.060664Z", + "id": "relationship--db5be032-ad8f-4dbc-8650-b27ddee9876e", + "modified": "2023-10-27T20:54:34.060664Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.062664Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds or updates the policy that is specified as the IAM user's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a user. Use the boundary to control the maximum permissions that the user can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the user.", + "event_id": "PutUserPermissionsBoundary", + "id": "x-mitre-sensor-mapping--25a6c4d2-5b54-4104-a03a-cd7edb646f95", + "modified": "2023-10-27T20:54:34.062664Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.063665Z", + "id": "relationship--881931c4-222d-4737-81ff-0ee22cb5299a", + "modified": "2023-10-27T20:54:34.063665Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.064661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A policy for an IAM user has been added or updated.", + "event_id": "PutUserPolicy", + "id": "x-mitre-sensor-mapping--1c149f36-f883-42dc-aef0-716f2c29cfd7", + "modified": "2023-10-27T20:54:34.064661Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.065199Z", + "id": "relationship--ded2419b-cdf3-4e7f-994e-4d6f71234058", + "modified": "2023-10-27T20:54:34.065199Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.06679Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM role.", + "event_id": "PutUserPolicy", + "id": "x-mitre-sensor-mapping--ce64350b-150a-44ad-a8e7-e3d629e7fe67", + "modified": "2023-10-27T20:54:34.06679Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.067183Z", + "id": "relationship--5d62ab68-e8c7-43da-bffb-55b584fb86cd", + "modified": "2023-10-27T20:54:34.067183Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.069189Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A version of a policy has been set as a default. This can apply to users, groups and roles. To find specifics, use the ListEntitiesForPolicy API.", + "event_id": "SetDefaultPolicyVersion", + "id": "x-mitre-sensor-mapping--daa080ff-f783-4226-9825-17a899d48c27", + "modified": "2023-10-27T20:54:34.069189Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.069189Z", + "id": "relationship--94cb52cf-9c80-426e-aad9-0ccca4dc567e", + "modified": "2023-10-27T20:54:34.069189Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.070192Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and AWS resources to determine the policies' effective permissions. The policies are provided as strings.", + "event_id": "SimulateCustomPolicy", + "id": "x-mitre-sensor-mapping--d49bce5c-2cdd-4f6a-8b8a-48d8c769e2d2", + "modified": "2023-10-27T20:54:34.070192Z", + "relationship": "Enumerates", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.07119Z", + "id": "relationship--7cfdc676-94bb-4b8b-a8b6-3685abd5762a", + "modified": "2023-10-27T20:54:34.07119Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.07119Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to. You can simulate resources that don't exist in your account.", + "event_id": "SimulatePrincipalPolicy", + "id": "x-mitre-sensor-mapping--eb7ca8aa-bf9f-4ea3-a0ed-86ac1707f38f", + "modified": "2023-10-27T20:54:34.07119Z", + "relationship": "Accesses", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.072188Z", + "id": "relationship--582f8ce1-0b10-4077-bf28-28703c78d822", + "modified": "2023-10-27T20:54:34.072188Z", + "relationship_type": "Accesses", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.073192Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds one or more tags to an IAM customer managed policy. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagPolicy", + "id": "x-mitre-sensor-mapping--128ac515-2c03-4576-92ec-2480ab2d4675", + "modified": "2023-10-27T20:54:34.073192Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.073192Z", + "id": "relationship--6759c9a1-5f7f-4ede-9c99-e7338355902f", + "modified": "2023-10-27T20:54:34.073192Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.074186Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds one or more tags to an IAM role. The role can be a regular role or a service-linked role. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagRole", + "id": "x-mitre-sensor-mapping--82d8b467-8724-4b63-b0c5-682ae9fabe68", + "modified": "2023-10-27T20:54:34.074186Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.075187Z", + "id": "relationship--1d712dc4-e0af-44d2-942c-130c58a5d99c", + "modified": "2023-10-27T20:54:34.075187Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.076188Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Removes the specified tags from the customer managed policy.", + "event_id": "Untag Policy", + "id": "x-mitre-sensor-mapping--24fd7f69-ee6e-4c2a-9adf-424e6299e7a6", + "modified": "2023-10-27T20:54:34.076188Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.077198Z", + "id": "relationship--7fcd3870-56eb-4562-848d-8573f74b7490", + "modified": "2023-10-27T20:54:34.077198Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.078185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Removes the specified tags from the role.", + "event_id": "UntagRole", + "id": "x-mitre-sensor-mapping--dbb26ea5-546a-443a-b5fb-b696638f7b3c", + "modified": "2023-10-27T20:54:34.078185Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Metadata (User Tags)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.078185Z", + "id": "relationship--0b839dd8-657b-462d-a0d1-ceeb86fa072f", + "modified": "2023-10-27T20:54:34.078185Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.079195Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Updates the password policy settings for the AWS account.", + "event_id": "UpdateAccountPasswordPolicy", + "id": "x-mitre-sensor-mapping--66546c19-83b4-40ba-9082-804410d5988f", + "modified": "2023-10-27T20:54:34.079195Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.080184Z", + "id": "relationship--b281759a-f54e-4309-a5c5-bbc981ca3628", + "modified": "2023-10-27T20:54:34.080184Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.080184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Updates the policy that grants an IAM entity permission to assume a role.", + "event_id": "UpdateAssumeRolePolicy", + "id": "x-mitre-sensor-mapping--d2622ace-4bc1-4130-acf9-d6d834239663", + "modified": "2023-10-27T20:54:34.080184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.081199Z", + "id": "relationship--209652a2-3488-4c70-ac07-d07e32815df6", + "modified": "2023-10-27T20:54:34.081199Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.081199Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Updates the description or maximum session duration setting of a role.", + "event_id": "UpdateRole", + "id": "x-mitre-sensor-mapping--8ac960c4-9b3d-4cc4-b6ba-6a5cdd94f45f", + "modified": "2023-10-27T20:54:34.081199Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.083185Z", + "id": "relationship--263e6f40-da4b-49e0-a44b-c39d94be2f19", + "modified": "2023-10-27T20:54:34.083185Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.084188Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A managed policy has been added to an IAM role.", + "event_id": "AttachRolePolicy", + "id": "x-mitre-sensor-mapping--a1527d9e-c440-4547-863f-2c8650bc542f", + "modified": "2023-10-27T20:54:34.084188Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.084188Z", + "id": "relationship--57cb2a44-58c0-4023-862c-96b630180ba3", + "modified": "2023-10-27T20:54:34.084188Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.085189Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A managed policy has been added to an IAM user.", + "event_id": "AttachUserPolicy", + "id": "x-mitre-sensor-mapping--cd95caef-f9a3-402e-9a1e-b72c3a5e9d5e", + "modified": "2023-10-27T20:54:34.085189Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.085189Z", + "id": "relationship--6c4da018-4de0-4b65-8165-bd2d63b433fd", + "modified": "2023-10-27T20:54:34.085189Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.08647Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A password for an IAM user has been changed.\n\nChanges the password of the IAM user who is calling this operation. This operation can be performed using the AWS CLI, the AWS API, or the My Security Credentials page in the AWS Management Console. The AWS account root user password is not affected by this operation.", + "event_id": "ChangePassword", + "id": "x-mitre-sensor-mapping--508ce1f9-a02a-4931-92d3-d1712a1825d7", + "modified": "2023-10-27T20:54:34.08647Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.087188Z", + "id": "relationship--d998db78-71ba-4b4a-bda4-a74eb8d65871", + "modified": "2023-10-27T20:54:34.087188Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.088184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A new AWS secret access key and access key ID has been created.", + "event_id": "CreateAccessKey", + "id": "x-mitre-sensor-mapping--ddebed8a-9864-4768-9115-42fb3f47c634", + "modified": "2023-10-27T20:54:34.088184Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Access Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.088184Z", + "id": "relationship--ac99b1b0-e942-416b-bbae-01e48975060d", + "modified": "2023-10-27T20:54:34.088184Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.089187Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Creates an alias for your AWS account.", + "event_id": "CreateAccountAlias", + "id": "x-mitre-sensor-mapping--39498d6c-5e30-4bc1-945f-3aac2367b42e", + "modified": "2023-10-27T20:54:34.089187Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Alias", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.090187Z", + "id": "relationship--d60a8140-4dae-4611-bbc2-327f28b166a4", + "modified": "2023-10-27T20:54:34.090187Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.091188Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A new password has been created for a user to access AWS services through the management console.", + "event_id": "CreateLoginProfile", + "id": "x-mitre-sensor-mapping--a9005262-e92b-4d4e-a308-2c9d88f69d73", + "modified": "2023-10-27T20:54:34.091188Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.092187Z", + "id": "relationship--256885cd-27f6-4392-8a69-1e15f7c6912a", + "modified": "2023-10-27T20:54:34.092187Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.09319Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A new managed policy has been created for an AWS account.", + "event_id": "CreatePolicy", + "id": "x-mitre-sensor-mapping--34f081d7-5b85-4e83-b9f8-72fe1de57ba8", + "modified": "2023-10-27T20:54:34.09319Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.09419Z", + "id": "relationship--522461fe-a005-43a0-87cc-71d903068bcd", + "modified": "2023-10-27T20:54:34.09419Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.095188Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version.", + "event_id": "CreatePolicyVersion", + "id": "x-mitre-sensor-mapping--e1f710a0-efb1-49c5-89fb-049aee1ccf31", + "modified": "2023-10-27T20:54:34.095188Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.095188Z", + "id": "relationship--4adf2cc9-325d-4d34-9797-d711c8170a5d", + "modified": "2023-10-27T20:54:34.095188Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.096199Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A new role for an AWS account has been created.", + "event_id": "CreateRole", + "id": "x-mitre-sensor-mapping--cf65b1a4-aa93-4c88-a941-f65ccc5d7af9", + "modified": "2023-10-27T20:54:34.096199Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.096199Z", + "id": "relationship--714bf64f-f51b-45ad-bb3a-c0ca4f4a04cc", + "modified": "2023-10-27T20:54:34.096199Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.097197Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account.", + "event_id": "GetAccountAuthorizationDetails", + "id": "x-mitre-sensor-mapping--b77759bc-19d1-4057-b2c3-00256312f299", + "modified": "2023-10-27T20:54:34.097197Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.098196Z", + "id": "relationship--85118786-57f9-4046-8b8f-bb7c22b07cdd", + "modified": "2023-10-27T20:54:34.098196Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.099185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves the password policy for the AWS account. This tells you the complexity requirements and mandatory rotation periods for the IAM user passwords in your account.", + "event_id": "GetAccountPasswordPolicy", + "id": "x-mitre-sensor-mapping--faf752ae-8332-4ea0-b00e-76920d1d0b71", + "modified": "2023-10-27T20:54:34.099185Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.1002Z", + "id": "relationship--e4c73ae3-0880-4333-9b94-0ca13cc188ec", + "modified": "2023-10-27T20:54:34.1002Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.1002Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy.", + "event_id": "GetContextKeysForCustomPolicy", + "id": "x-mitre-sensor-mapping--99205d36-a315-4146-a75f-20b54ecd8f87", + "modified": "2023-10-27T20:54:34.1002Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.101198Z", + "id": "relationship--afae4246-5802-4d9e-88b5-200185bb3060", + "modified": "2023-10-27T20:54:34.101198Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.102189Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.", + "event_id": "GetContextKeysForPrincipalPolicy", + "id": "x-mitre-sensor-mapping--b25855bd-61d5-4798-be65-85cb1f894acc", + "modified": "2023-10-27T20:54:34.102189Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.102189Z", + "id": "relationship--8c883a57-a2a5-40d7-b245-7da285d9fd2d", + "modified": "2023-10-27T20:54:34.102189Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.103204Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves the user name and password-creation date for the specified IAM user.", + "event_id": "GetLoginprofile", + "id": "x-mitre-sensor-mapping--3d045128-a91a-4c73-9f12-43ee5134b9ba", + "modified": "2023-10-27T20:54:34.103204Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.103204Z", + "id": "relationship--590a1f8d-a95e-42e1-b82b-7697fb2875a6", + "modified": "2023-10-27T20:54:34.103204Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.104185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached.", + "event_id": "GetPolicy", + "id": "x-mitre-sensor-mapping--efb0b328-bbf7-41bf-9cdc-febd3af82a23", + "modified": "2023-10-27T20:54:34.104185Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.105186Z", + "id": "relationship--34090bad-491a-4348-bcb6-1e6d68396f38", + "modified": "2023-10-27T20:54:34.105186Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.105186Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves information about the specified version of the specified managed policy, including the policy document.", + "event_id": "GetPolicyVersion", + "id": "x-mitre-sensor-mapping--3996a6e5-702e-498a-bba3-3eb3dd2410ca", + "modified": "2023-10-27T20:54:34.105186Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.10719Z", + "id": "relationship--757f60e9-76a8-40a0-8abe-9a1b19ed836f", + "modified": "2023-10-27T20:54:34.10719Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.108194Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.", + "event_id": "GetRole", + "id": "x-mitre-sensor-mapping--e4e5f87d-c72d-4a0e-902c-b06493720cb3", + "modified": "2023-10-27T20:54:34.108194Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.108194Z", + "id": "relationship--594e5854-0f7f-4e65-8090-62c756994986", + "modified": "2023-10-27T20:54:34.108194Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.10919Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves the specified inline policy document that is embedded with the specified IAM role.", + "event_id": "GetRolePolicy", + "id": "x-mitre-sensor-mapping--927808d3-ef85-4fcd-87ca-b8f3303e0284", + "modified": "2023-10-27T20:54:34.10919Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.110184Z", + "id": "relationship--c1834a30-5e75-4872-b555-fefdf45e0eda", + "modified": "2023-10-27T20:54:34.110184Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.111184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves the specified inline policy document that is embedded in the specified IAM user.", + "event_id": "GetUserPolicy", + "id": "x-mitre-sensor-mapping--73d9a0f7-52a3-48a8-8efb-2bc3a916e2f5", + "modified": "2023-10-27T20:54:34.111184Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.111184Z", + "id": "relationship--c22b9503-1e55-4f05-ad1f-819521c4fb76", + "modified": "2023-10-27T20:54:34.111184Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.112185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists all managed policies that are attached to the specified IAM role.", + "event_id": "ListAttachedRolePolicies", + "id": "x-mitre-sensor-mapping--20d20f81-8471-488c-a680-7dd4338887fd", + "modified": "2023-10-27T20:54:34.112185Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.112185Z", + "id": "relationship--e2c8529a-d32f-42f7-b4c7-7776e61f45f1", + "modified": "2023-10-27T20:54:34.112185Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.113184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists all IAM users, groups, and roles that the specified managed policy is attached to.", + "event_id": "ListEntitiesForPolicy", + "id": "x-mitre-sensor-mapping--58db3a83-3c8d-4c04-8de9-084bebf3b6f9", + "modified": "2023-10-27T20:54:34.113184Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.114184Z", + "id": "relationship--22ea7fa2-a7b4-4503-9ae5-70a9a9039f1d", + "modified": "2023-10-27T20:54:34.114184Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.116509Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service.\n\nThe list of policies returned by the operation depends on the ARN of the identity that you provide.", + "event_id": "ListPoliciesGrantingServiceAccess", + "id": "x-mitre-sensor-mapping--208739ea-35e1-422c-8f57-1f255055eab4", + "modified": "2023-10-27T20:54:34.116509Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.117185Z", + "id": "relationship--10bf40a5-4288-4a24-aa34-e0cecfcea50f", + "modified": "2023-10-27T20:54:34.117185Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.117185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists the tags that are attached to the specified IAM customer managed policy. The returned list of tags is sorted by tag key.", + "event_id": "ListPolicyTags", + "id": "x-mitre-sensor-mapping--a823a697-3037-4653-90e5-65d08d3b0f5a", + "modified": "2023-10-27T20:54:34.117185Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.118185Z", + "id": "relationship--5073c79c-e134-4591-8654-67493c66467a", + "modified": "2023-10-27T20:54:34.118185Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.119184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version.", + "event_id": "ListPolicyVersions", + "id": "x-mitre-sensor-mapping--8146885b-aa11-421c-a3a7-8ed423f77972", + "modified": "2023-10-27T20:54:34.119184Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.119184Z", + "id": "relationship--d3ac1e80-cd57-4e20-a6b6-2743ca4808b0", + "modified": "2023-10-27T20:54:34.119184Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.120184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Changes the password for the specified IAM user.", + "event_id": "UpdateLoginProfile", + "id": "x-mitre-sensor-mapping--4f039a9d-f813-48a8-8fa9-14f11c12c5d9", + "modified": "2023-10-27T20:54:34.120184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.120184Z", + "id": "relationship--046bb69f-3def-4f1d-a4b1-58ab9821d1ac", + "modified": "2023-10-27T20:54:34.120184Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.762922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "modified": "2023-10-27T20:54:33.762922Z", + "name": "User Account Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.121185Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Sets the specified version of the global endpoint token as the token version used for the AWS account.", + "event_id": "SetSecurityTokenPreferences", + "id": "x-mitre-sensor-mapping--5ca1702a-1495-47d4-972a-5160878d9aef", + "modified": "2023-10-27T20:54:34.121185Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.122184Z", + "id": "relationship--f9ac603a-5788-4d29-a581-a035935c3983", + "modified": "2023-10-27T20:54:34.122184Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.122184Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Adds one or more tags to an IAM user. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagUser", + "id": "x-mitre-sensor-mapping--724d8fd1-6ef8-442b-8745-350a88dcf5aa", + "modified": "2023-10-27T20:54:34.122184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.123185Z", + "id": "relationship--d382ad43-b500-4ef8-8e54-8e08eef97b68", + "modified": "2023-10-27T20:54:34.123185Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.124186Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Removes the specified tags from the user.", + "event_id": "UntagUser", + "id": "x-mitre-sensor-mapping--8b6399a1-6079-4fb6-b6b4-6fa605b90249", + "modified": "2023-10-27T20:54:34.124186Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Metadata (User Tags)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.125186Z", + "id": "relationship--afcc2f10-57e8-4c3e-81ef-9c9ae3831029", + "modified": "2023-10-27T20:54:34.125186Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.125186Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user's key as part of a key rotation workflow.", + "event_id": "UpdateAccessKey", + "id": "x-mitre-sensor-mapping--43d5a12f-3b32-409f-a2f8-4bac1b1051d1", + "modified": "2023-10-27T20:54:34.125186Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.126184Z", + "id": "relationship--86eca2b9-c0c4-466a-a9ee-95844d5b83ea", + "modified": "2023-10-27T20:54:34.126184Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.127184Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Sets the status of a service-specific credential to Active or Inactive. Service-specific credentials that are inactive cannot be used for authentication to the service. This operation can be used to disable a user's service-specific credential as part of a credential rotation work flow.", + "event_id": "UpdateServiceSpecificCredential", + "id": "x-mitre-sensor-mapping--02796475-87ce-4eb4-9994-753119b9be2d", + "modified": "2023-10-27T20:54:34.127184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.127184Z", + "id": "relationship--4b0276e1-e69d-4369-be41-c76c7b330c84", + "modified": "2023-10-27T20:54:34.127184Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.128184Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Changes the status of the specified user signing certificate from active to disabled, or vice versa. This operation can be used to disable an IAM user's signing certificate as part of a certificate rotation work flow.", + "event_id": "UpdateSigningCertificate", + "id": "x-mitre-sensor-mapping--1c958f62-e0f6-4ef8-be2e-050b9001512d", + "modified": "2023-10-27T20:54:34.128184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.128184Z", + "id": "relationship--a2eee4f2-be65-4dbc-be91-dc5e5daf9a35", + "modified": "2023-10-27T20:54:34.128184Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.129184Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Sets the status of an IAM user's SSH public key to active or inactive. SSH public keys that are inactive cannot be used for authentication. This operation can be used to disable a user's SSH public key as part of a key rotation work flow.", + "event_id": "UpdateSSHPublicKey", + "id": "x-mitre-sensor-mapping--7e002710-f808-4d23-b81c-bd54b838fef2", + "modified": "2023-10-27T20:54:34.129184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.130184Z", + "id": "relationship--ff91bd04-b36a-4739-ae26-49d37058ec6f", + "modified": "2023-10-27T20:54:34.130184Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.131201Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Updates the name and/or the path of the specified IAM user.", + "event_id": "UpdateUser", + "id": "x-mitre-sensor-mapping--18910039-033a-4f62-8613-48601426d1b7", + "modified": "2023-10-27T20:54:34.131201Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.132204Z", + "id": "relationship--6714d08b-3b7b-42d7-a6ff-0b21995d6680", + "modified": "2023-10-27T20:54:34.132204Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.132204Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.", + "event_id": "UploadServerCertificate", + "id": "x-mitre-sensor-mapping--9afec1b5-9850-4bce-bd45-03a98b25bc9f", + "modified": "2023-10-27T20:54:34.132204Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.133241Z", + "id": "relationship--69462776-4df2-45fb-a880-7ddc7b5958eb", + "modified": "2023-10-27T20:54:34.133241Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.134284Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Uploads an X.509 signing certificate and associates it with the specified IAM user.", + "event_id": "UploadSigningCertificate", + "id": "x-mitre-sensor-mapping--026a3960-e700-4da2-b179-4c759c9548cc", + "modified": "2023-10-27T20:54:34.134284Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.134948Z", + "id": "relationship--12018e16-6d15-4a8f-bc89-4104195005fa", + "modified": "2023-10-27T20:54:34.134948Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.134948Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Uploads an SSH public key and associates it with the specified IAM user.", + "event_id": "UploadSSHPublicKey", + "id": "x-mitre-sensor-mapping--a74c00b4-22e8-4b09-8ac9-86f4c371bd3a", + "modified": "2023-10-27T20:54:34.134948Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.135942Z", + "id": "relationship--b20d4e0e-f008-4646-bb50-2829ab699f49", + "modified": "2023-10-27T20:54:34.135942Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.135942Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--755e42e8-1960-47d4-87b6-d5f485b98610", + "modified": "2023-10-27T20:54:34.135942Z", + "name": "Volume Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.136931Z", + "data_component": "Volume Creation", + "data_source": "Volume", + "description": "Creates an EBS volume that can be attached to an instance in the same Availability Zone.", + "event_id": "CreateVolume", + "id": "x-mitre-sensor-mapping--d145d5e7-3e6c-42fb-a0ad-d0716259a87d", + "modified": "2023-10-27T20:54:34.136931Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Volume", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0034" + }, + { + "created": "2023-10-27T20:54:34.138014Z", + "id": "relationship--ae805209-1e8f-448f-8017-79906fb82049", + "modified": "2023-10-27T20:54:34.138014Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--755e42e8-1960-47d4-87b6-d5f485b98610", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.138014Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d241a43a-9ff3-4d76-b5f4-9992dbf6fba9", + "modified": "2023-10-27T20:54:34.138014Z", + "name": "Volume Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.138945Z", + "data_component": "Volume Modification", + "data_source": "Volume", + "description": "Detaches an EBS volume from an instance.", + "event_id": "DetachVolume", + "id": "x-mitre-sensor-mapping--80ab0482-fdbc-4c16-bc92-809f80b6e64d", + "modified": "2023-10-27T20:54:34.138945Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Volume", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0034" + }, + { + "created": "2023-10-27T20:54:34.138945Z", + "id": "relationship--8957fcd2-d76e-4b8e-bd09-f5aea003a253", + "modified": "2023-10-27T20:54:34.138945Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d241a43a-9ff3-4d76-b5f4-9992dbf6fba9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.14093Z", + "data_component": "Volume Modification", + "data_source": "Volume", + "description": "You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity.", + "event_id": "ModifyVolume", + "id": "x-mitre-sensor-mapping--ae947d01-0b87-40d6-a5cd-4394b9d798e7", + "modified": "2023-10-27T20:54:34.14093Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Volume", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0034" + }, + { + "created": "2023-10-27T20:54:34.141932Z", + "id": "relationship--74ab6604-995d-44b6-9126-1dea84610108", + "modified": "2023-10-27T20:54:34.141932Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d241a43a-9ff3-4d76-b5f4-9992dbf6fba9", + "type": "relationship" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/mappings/stix/enterprise/OSQuery-mappings-enterprise.json b/mappings/stix/enterprise/OSQuery-mappings-enterprise.json new file mode 100644 index 0000000..adb602a --- /dev/null +++ b/mappings/stix/enterprise/OSQuery-mappings-enterprise.json @@ -0,0 +1,6411 @@ +{ + "id": "bundle--2b2bfa59-6c4c-4e1a-a3a0-0b048cd596a1", + "objects": [ + { + "created": "2023-10-27T20:54:34.171925Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--858b1589-f9ad-482f-9c34-6fa2cddc5a76", + "modified": "2023-10-27T20:54:34.171925Z", + "name": "Active Directory Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.172925Z", + "data_component": "Active Directory Metadata", + "data_source": "Active Directory", + "description": "OS X Active Directory configuration.", + "event_id": "ad_config", + "id": "x-mitre-sensor-mapping--abd593f2-6665-4b11-8784-800df631e16c", + "modified": "2023-10-27T20:54:34.172925Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.173926Z", + "id": "relationship--93a26cdb-ad3c-49f5-9d82-d5aef168a7fd", + "modified": "2023-10-27T20:54:34.173926Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--858b1589-f9ad-482f-9c34-6fa2cddc5a76", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.860987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "modified": "2023-10-27T20:54:33.860987Z", + "name": "Active Directory Object Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.173926Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "The managed configuration policies from AD, MDM, MCX, etc.", + "event_id": "managed_policies", + "id": "x-mitre-sensor-mapping--acf0b3d7-d283-49e8-bdc9-0929cbcb856b", + "modified": "2023-10-27T20:54:34.173926Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.174928Z", + "id": "relationship--995431ea-0963-4160-97cd-7d8b960d50ad", + "modified": "2023-10-27T20:54:34.174928Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.174928Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "modified": "2023-10-27T20:54:34.174928Z", + "name": "Application Log Content", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.176128Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Content scripts associated with Chrome extensions", + "event_id": "chrome_extension_content_scripts", + "id": "x-mitre-sensor-mapping--c55203a0-173e-4ea3-be1a-f2d106eeb36d", + "modified": "2023-10-27T20:54:34.176128Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Application", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.176931Z", + "id": "relationship--99ec5b44-29c0-4856-bc37-1cba3d4786f7", + "modified": "2023-10-27T20:54:34.176931Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.176931Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Chrome browser extensions", + "event_id": "chrome_extensions", + "id": "x-mitre-sensor-mapping--10f4ef38-6fb9-44b7-a36b-b2bda25e2347", + "modified": "2023-10-27T20:54:34.176931Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.178929Z", + "id": "relationship--07383631-6ef8-4c97-b950-89b201c72a58", + "modified": "2023-10-27T20:54:34.178929Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.179931Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Firefox browser extensions, webapps, and addons.", + "event_id": "firefox_addons", + "id": "x-mitre-sensor-mapping--9a0ff282-f268-4db6-b8d8-6ecd53e742e6", + "modified": "2023-10-27T20:54:34.179931Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.180934Z", + "id": "relationship--955e336e-a6a3-4ee4-824e-eb1212e6819b", + "modified": "2023-10-27T20:54:34.180934Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.181933Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Internet Explorer browser extensions.", + "event_id": "ie_extensions", + "id": "x-mitre-sensor-mapping--4e113995-da0e-42c1-ae4f-212b0881a31e", + "modified": "2023-10-27T20:54:34.181933Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.181933Z", + "id": "relationship--a4ed1231-60c0-4cd8-85ab-11332274ba95", + "modified": "2023-10-27T20:54:34.181933Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.18293Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Opera browser extensions.", + "event_id": "opera_extensions", + "id": "x-mitre-sensor-mapping--5fcf571d-946e-4a40-bcab-4c2fe4ca8931", + "modified": "2023-10-27T20:54:34.18293Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.18293Z", + "id": "relationship--d8437a53-fb55-4247-a0e0-189ba2a1c5ce", + "modified": "2023-10-27T20:54:34.18293Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.183927Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Safari browser extension details for all users.", + "event_id": "safari_extensions", + "id": "x-mitre-sensor-mapping--c540f41a-f066-49ad-9e3e-4632265895dd", + "modified": "2023-10-27T20:54:34.183927Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.183927Z", + "id": "relationship--bc1beb5d-8ffb-403c-b30d-f82dea5e210c", + "modified": "2023-10-27T20:54:34.183927Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.183927Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "All C/NPAPI browser plugin details for all users.", + "event_id": "browser_plugins", + "id": "x-mitre-sensor-mapping--2439ac08-dcd3-48b8-bd91-e77a95ba508c", + "modified": "2023-10-27T20:54:34.183927Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.18493Z", + "id": "relationship--70e97c57-4515-47ec-8a17-88e68f76b3bf", + "modified": "2023-10-27T20:54:34.18493Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.18493Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "The installed homebrew package database.", + "event_id": "homebrew_packages", + "id": "x-mitre-sensor-mapping--645238a8-f28b-497e-95a7-2008ee1b897f", + "modified": "2023-10-27T20:54:34.18493Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.185931Z", + "id": "relationship--6119ff73-a316-4a8a-b303-868b720461de", + "modified": "2023-10-27T20:54:34.185931Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.185931Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--7f894f0a-ff30-49dd-ae5d-0c203c3d7900", + "modified": "2023-10-27T20:54:34.185931Z", + "name": "Certificate Registration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.186928Z", + "data_component": "Certificate Registration", + "data_source": "Certificate", + "description": "Certificate Authorities installed in Keychains/ca-bundles.", + "event_id": "certificates", + "id": "x-mitre-sensor-mapping--4e63505f-4749-4437-9725-176d8623cab5", + "modified": "2023-10-27T20:54:34.186928Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:34.186928Z", + "id": "relationship--df2de055-69fe-45e7-ab2e-e2de37bdd34c", + "modified": "2023-10-27T20:54:34.186928Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--7f894f0a-ff30-49dd-ae5d-0c203c3d7900", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.187927Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ca94bc9d-801f-4522-85dd-240c26bb2401", + "modified": "2023-10-27T20:54:34.187927Z", + "name": "Command Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.187927Z", + "data_component": "Command Metadata", + "data_source": "Command", + "description": "A line-delimited (command) table of per-user .*_history data.", + "event_id": "shell_history", + "id": "x-mitre-sensor-mapping--56e97439-0b90-40a7-88f7-64a6d2c201c3", + "modified": "2023-10-27T20:54:34.187927Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Command History", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0017" + }, + { + "created": "2023-10-27T20:54:34.187927Z", + "id": "relationship--c033d412-d22e-4960-8928-483ee0d75d58", + "modified": "2023-10-27T20:54:34.187927Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ca94bc9d-801f-4522-85dd-240c26bb2401", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.188927Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "modified": "2023-10-27T20:54:34.188927Z", + "name": "Drive Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.188927Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Retrieve basic information about the physical disks of a system.", + "event_id": "disk_info", + "id": "x-mitre-sensor-mapping--ded17b5f-e088-413a-b761-5069afeb1bb7", + "modified": "2023-10-27T20:54:34.188927Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.189927Z", + "id": "relationship--b9b3af6c-4492-4100-9946-ceb8a6e8f748", + "modified": "2023-10-27T20:54:34.189927Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.19093Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Disk encryption status and information.", + "event_id": "disk_encryption", + "id": "x-mitre-sensor-mapping--842103b7-70b5-4fd2-9136-12b94f7430e4", + "modified": "2023-10-27T20:54:34.19093Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.19093Z", + "id": "relationship--73c3b1ee-c514-4c44-8026-62f4879e6e4e", + "modified": "2023-10-27T20:54:34.19093Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.19093Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Details for logical drives on the system. A logical drive generally represents a single partition.", + "event_id": "logical_drives", + "id": "x-mitre-sensor-mapping--86f5f9f1-72d6-4041-9b32-0b73199dc5d3", + "modified": "2023-10-27T20:54:34.19093Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.191932Z", + "id": "relationship--2bb4e2ae-78d4-4b16-b147-b322d6d92015", + "modified": "2023-10-27T20:54:34.191932Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.191932Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Track DMG disk image events (appearance/disappearance) when opened", + "event_id": "disk_events", + "id": "x-mitre-sensor-mapping--10991cd7-12fe-48ca-94a7-8e33c9763ce4", + "modified": "2023-10-27T20:54:34.191932Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.192928Z", + "id": "relationship--e89a5192-8aad-42e1-84b7-40dd96c63d41", + "modified": "2023-10-27T20:54:34.192928Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.193929Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Use TSK to enumerate details about partitions on a disk device.", + "event_id": "device_partitions", + "id": "x-mitre-sensor-mapping--d8976aa7-14b9-4395-9635-5535fd310ef2", + "modified": "2023-10-27T20:54:34.193929Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.194789Z", + "id": "relationship--f92df012-1729-4cb9-bfae-f409ee4b18aa", + "modified": "2023-10-27T20:54:34.194789Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.195779Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Similar to the file table, but use TSK and allow block address access", + "event_id": "device_file", + "id": "x-mitre-sensor-mapping--7b47fc14-6589-4abc-9c42-222463160ac5", + "modified": "2023-10-27T20:54:34.195779Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.195779Z", + "id": "relationship--f48cc7a4-a605-442c-8f50-4a625f4a7d03", + "modified": "2023-10-27T20:54:34.195779Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.196777Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--806c044c-2cb9-49c6-893e-30675b5e4679", + "modified": "2023-10-27T20:54:34.196777Z", + "name": "Drive Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.197191Z", + "data_component": "Drive Creation", + "data_source": "Drive", + "description": "USB devices that are actively plugged into the host system.", + "event_id": "usb_devices", + "id": "x-mitre-sensor-mapping--7b617bd2-6671-4ba9-9222-9a80482e2289", + "modified": "2023-10-27T20:54:34.197191Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.197191Z", + "id": "relationship--456427f3-bdfa-4bba-895c-9817a759d254", + "modified": "2023-10-27T20:54:34.197191Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--806c044c-2cb9-49c6-893e-30675b5e4679", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.19818Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2b1eaec6-4e5f-4ced-ac83-48afe7e24380", + "modified": "2023-10-27T20:54:34.19818Z", + "name": "Drive Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.19818Z", + "data_component": "Drive Metadata", + "data_source": "Driver", + "description": "Filesystem hash data.", + "event_id": "hash", + "id": "x-mitre-sensor-mapping--3fcfd0a7-36b8-4b1b-bd28-0e0767377298", + "modified": "2023-10-27T20:54:34.19818Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.199181Z", + "id": "relationship--5feffebe-6d6d-445a-b96a-bf21994a04d6", + "modified": "2023-10-27T20:54:34.199181Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2b1eaec6-4e5f-4ced-ac83-48afe7e24380", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.199181Z", + "data_component": "Drive Metadata", + "data_source": "Drive", + "description": "Locations backed up to using Time Machine.", + "event_id": "time_machine_destinations", + "id": "x-mitre-sensor-mapping--442d3c19-a447-4cd7-adaa-8a6dc122a6e2", + "modified": "2023-10-27T20:54:34.199181Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.20018Z", + "id": "relationship--446390eb-f066-4adf-95e1-9d46ecffac59", + "modified": "2023-10-27T20:54:34.20018Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2b1eaec6-4e5f-4ced-ac83-48afe7e24380", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.647867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "modified": "2023-10-27T20:54:33.647867Z", + "name": "Drive Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.20018Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "Backups to drives using TimeMachine.", + "event_id": "time_machine_backups", + "id": "x-mitre-sensor-mapping--dc2f24e0-c703-4542-8989-586b40ca86b8", + "modified": "2023-10-27T20:54:34.20018Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.20018Z", + "id": "relationship--46e81a1d-18d6-42e0-8c10-b6f2e60690f1", + "modified": "2023-10-27T20:54:34.20018Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.201183Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--802a661b-37ca-4cd3-94b1-1f20cbd62a98", + "modified": "2023-10-27T20:54:34.201183Z", + "name": "Driver Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.201183Z", + "data_component": "Driver Metadata", + "data_source": "Driver", + "description": "Details for in-use Windows device drivers. This does not display installed but unused drivers.", + "event_id": "drivers", + "id": "x-mitre-sensor-mapping--05a724e0-1a76-4d5e-8057-d455a47ab038", + "modified": "2023-10-27T20:54:34.201183Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Driver", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.202198Z", + "id": "relationship--65f507a1-0607-4f88-8fb4-63f38e850097", + "modified": "2023-10-27T20:54:34.202198Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--802a661b-37ca-4cd3-94b1-1f20cbd62a98", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.202198Z", + "data_component": "Driver Metadata", + "data_source": "Driver", + "description": "Retrieve bitlocker status of the machine.", + "event_id": "bitlocker_info", + "id": "x-mitre-sensor-mapping--135f6d07-7755-4830-8983-cbb9cf06b20f", + "modified": "2023-10-27T20:54:34.202198Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Driver", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.203187Z", + "id": "relationship--51f0bf79-914a-4018-947d-31ceb6baa89a", + "modified": "2023-10-27T20:54:34.203187Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--802a661b-37ca-4cd3-94b1-1f20cbd62a98", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.203187Z", + "data_component": "Driver Metadata", + "data_source": "Driver", + "description": "The IOKit registry matching the DeviceTree plane.", + "event_id": "iokit_devicetree", + "id": "x-mitre-sensor-mapping--a38bda1d-3c18-4661-8ad1-5d3514cd585d", + "modified": "2023-10-27T20:54:34.203187Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Driver", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.204197Z", + "id": "relationship--8bb178c3-3896-4086-9183-9a14a95d9fcf", + "modified": "2023-10-27T20:54:34.204197Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--802a661b-37ca-4cd3-94b1-1f20cbd62a98", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.204197Z", + "data_component": "Driver Metadata", + "data_source": "Driver", + "description": "The full IOKit registry without selecting a plane.", + "event_id": "iokit_registry", + "id": "x-mitre-sensor-mapping--00fa1123-0420-4a98-bd8f-94097aa57299", + "modified": "2023-10-27T20:54:34.204197Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Driver", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.205186Z", + "id": "relationship--6283670f-d453-4785-8858-2ad939a11ec1", + "modified": "2023-10-27T20:54:34.205186Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--802a661b-37ca-4cd3-94b1-1f20cbd62a98", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "modified": "2023-10-27T20:54:33.648869Z", + "name": "File Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.205186Z", + "data_component": "File Access", + "data_source": "File", + "description": "Configuration files parsed by augeas", + "event_id": "augeas", + "id": "x-mitre-sensor-mapping--0e5b180c-142f-4c06-93fa-b5e9d4dfc180", + "modified": "2023-10-27T20:54:34.205186Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.205186Z", + "id": "relationship--67cbdf95-454f-44fb-b8f2-6d414bdcecdc", + "modified": "2023-10-27T20:54:34.205186Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.206302Z", + "data_component": "File Access", + "data_source": "File", + "description": "View recently opened Office documents.", + "event_id": "office_mru", + "id": "x-mitre-sensor-mapping--ed5c3f01-5ca5-4d52-9efb-1d511aa4b904", + "modified": "2023-10-27T20:54:34.206302Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.206302Z", + "id": "relationship--a25d5a5e-af15-4118-b7e3-baca36e969b2", + "modified": "2023-10-27T20:54:34.206302Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.207293Z", + "data_component": "File Access", + "data_source": "File", + "description": "Read and parse a plist file.", + "event_id": "plist", + "id": "x-mitre-sensor-mapping--670480c5-57d7-4ca9-a596-d7eaaa22002c", + "modified": "2023-10-27T20:54:34.207293Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.207293Z", + "id": "relationship--0c913afe-705c-4c04-95b3-b439bc597b34", + "modified": "2023-10-27T20:54:34.207293Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.208309Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "modified": "2023-10-27T20:54:34.208309Z", + "name": "File Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.208309Z", + "data_component": "File Creation", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "file_events", + "id": "x-mitre-sensor-mapping--8be8f6d6-fac5-4c5e-80eb-9ccf1f0cad6a", + "modified": "2023-10-27T20:54:34.208309Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.209297Z", + "id": "relationship--7c839671-9e02-4356-b9bd-d2482d06d2dd", + "modified": "2023-10-27T20:54:34.209297Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "modified": "2023-10-27T20:54:33.65187Z", + "name": "File Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.209297Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "file_events", + "id": "x-mitre-sensor-mapping--47a580ce-6181-4e41-bd6b-2070e3436978", + "modified": "2023-10-27T20:54:34.209297Z", + "relationship": "Deleted", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.210298Z", + "id": "relationship--ec46eb59-47df-4a0b-80f1-dd35ea6e316d", + "modified": "2023-10-27T20:54:34.210298Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "modified": "2023-10-27T20:54:33.65287Z", + "name": "File Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.210298Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "File (executable, bundle, installer, disk) code signing status.", + "event_id": "authenticode", + "id": "x-mitre-sensor-mapping--5a7e9f0f-6ef9-4e32-bd0e-cd27ba97062b", + "modified": "2023-10-27T20:54:34.210298Z", + "relationship": "Validated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Signature", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.211302Z", + "id": "relationship--c0917727-710d-4a8a-8cb3-d6d4969c7ba0", + "modified": "2023-10-27T20:54:34.211302Z", + "relationship_type": "Validated", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.211302Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "ntfs_journal_events", + "id": "x-mitre-sensor-mapping--3ac9b962-c305-4fcd-95be-3c4d6934f494", + "modified": "2023-10-27T20:54:34.211302Z", + "relationship": "Deleted", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.211302Z", + "id": "relationship--764bae49-340c-460a-8a71-3aa27c38b7fb", + "modified": "2023-10-27T20:54:34.211302Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.2123Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF dynamic section information.", + "event_id": "elf_dynamic", + "id": "x-mitre-sensor-mapping--f069ab67-40cb-487a-a444-7737dd182726", + "modified": "2023-10-27T20:54:34.2123Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.2123Z", + "id": "relationship--5414aca0-2c71-445d-b073-22a9764bd035", + "modified": "2023-10-27T20:54:34.2123Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.213297Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF file information.", + "event_id": "elf_info", + "id": "x-mitre-sensor-mapping--00daa74b-fc79-423c-88c5-fd8d9f07bdf7", + "modified": "2023-10-27T20:54:34.213297Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.213972Z", + "id": "relationship--84765ec1-a547-4d5a-be3f-97b86875b7f1", + "modified": "2023-10-27T20:54:34.213972Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.214967Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF section information.", + "event_id": "elf_sections", + "id": "x-mitre-sensor-mapping--954135d5-8554-41e1-8eaa-d33f33988727", + "modified": "2023-10-27T20:54:34.214967Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.214967Z", + "id": "relationship--598c0eb0-503f-45bb-9b40-f5cbc3876b3b", + "modified": "2023-10-27T20:54:34.214967Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.215961Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF segments information.", + "event_id": "elf_segments", + "id": "x-mitre-sensor-mapping--eec991a4-564d-4e5c-abca-bd8165273389", + "modified": "2023-10-27T20:54:34.215961Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.216607Z", + "id": "relationship--8155c991-d3e5-47a7-a0e8-30c84467cdc1", + "modified": "2023-10-27T20:54:34.216607Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.216607Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF symbol list.", + "event_id": "elf_symbols", + "id": "x-mitre-sensor-mapping--9a9f302b-0b0c-48c7-82b0-af5d93f6cc75", + "modified": "2023-10-27T20:54:34.216607Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.217604Z", + "id": "relationship--3e45365c-ac58-4721-a624-eae48be0f9b2", + "modified": "2023-10-27T20:54:34.217604Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.217604Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Returns the extended attributes for files (similar to Windows ADS).", + "event_id": "extended_attributes", + "id": "x-mitre-sensor-mapping--cf55045a-74f1-4d3e-8351-d28af9baf04d", + "modified": "2023-10-27T20:54:34.217604Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.217604Z", + "id": "relationship--16821cb2-23be-48e3-a0a4-cfecf60f7fa4", + "modified": "2023-10-27T20:54:34.217604Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.218594Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Interactive filesystem attributes and metadata.", + "event_id": "file", + "id": "x-mitre-sensor-mapping--f764c4df-e6cd-4715-a486-893048d4a229", + "modified": "2023-10-27T20:54:34.218594Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.2196Z", + "id": "relationship--a2c92767-7aad-4f42-85c5-1fd29abf1a7b", + "modified": "2023-10-27T20:54:34.2196Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.2196Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Magic number recognition library table.", + "event_id": "magic", + "id": "x-mitre-sensor-mapping--433fde69-022c-422e-a3a5-6eee521a0407", + "modified": "2023-10-27T20:54:34.2196Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.220598Z", + "id": "relationship--90c55941-865d-4627-a98f-548ef6e42447", + "modified": "2023-10-27T20:54:34.220598Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.220598Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Retrieve NTFS ACL permission information for files and directories.", + "event_id": "ntfs_acl_permissions", + "id": "x-mitre-sensor-mapping--2a42ea93-53e7-46b2-8597-6c26a783b643", + "modified": "2023-10-27T20:54:34.220598Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.221597Z", + "id": "relationship--92916120-fe92-4709-8219-ff056dc2c2dd", + "modified": "2023-10-27T20:54:34.221597Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.221597Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "File (executable, bundle, installer, disk) code signing status.", + "event_id": "signature", + "id": "x-mitre-sensor-mapping--156e5a95-c045-4ddf-9ce5-01435f792228", + "modified": "2023-10-27T20:54:34.221597Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Signature", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.222617Z", + "id": "relationship--acc5684e-c338-4457-9932-a167323d9b70", + "modified": "2023-10-27T20:54:34.222617Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.222617Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "ntfs_journal_events", + "id": "x-mitre-sensor-mapping--4704c5c0-5d54-41c0-8b0a-8d0707a83875", + "modified": "2023-10-27T20:54:34.222617Z", + "relationship": "Modified", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.222617Z", + "id": "relationship--816e3c3d-3f90-4fdf-90c1-555c91421dd8", + "modified": "2023-10-27T20:54:34.222617Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.22408Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "A File Integrity Monitor implementation using the audit service.", + "event_id": "process_file_events", + "id": "x-mitre-sensor-mapping--67bc0598-0f7e-43a4-976c-3edfdf972f6d", + "modified": "2023-10-27T20:54:34.22408Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.225023Z", + "id": "relationship--d708164c-0e89-4d4e-89ac-0b779af5547b", + "modified": "2023-10-27T20:54:34.225023Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.225971Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Similar to the hash table, but use TSK and allow block address access", + "event_id": "device_hash", + "id": "x-mitre-sensor-mapping--56bcb499-9781-4616-ab6d-a2e1b039f675", + "modified": "2023-10-27T20:54:34.225971Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.225971Z", + "id": "relationship--ef636b36-072e-4834-96a0-c807465237aa", + "modified": "2023-10-27T20:54:34.225971Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.22697Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "OS X package bill of materials (BOM) file list.", + "event_id": "package_bom", + "id": "x-mitre-sensor-mapping--ce7dccf7-2f7d-46ff-8c56-896f6bb64747", + "modified": "2023-10-27T20:54:34.22697Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.22697Z", + "id": "relationship--bc5028e0-2b8b-4134-8bb6-ae07e692786c", + "modified": "2023-10-27T20:54:34.22697Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.227964Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Files and thumbnails within OS X's Quicklook Cache.", + "event_id": "quicklook_cache", + "id": "x-mitre-sensor-mapping--4be76a2a-38c0-4a39-862c-53f9a5a2b088", + "modified": "2023-10-27T20:54:34.227964Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.227964Z", + "id": "relationship--216d1dd1-0e81-4dd5-bae3-26b6642771e3", + "modified": "2023-10-27T20:54:34.227964Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.229009Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Application Compatibility Cache, contains artifacts of execution.", + "event_id": "shimcache", + "id": "x-mitre-sensor-mapping--0307600c-1b97-4a2d-ad6d-c538cf841079", + "modified": "2023-10-27T20:54:34.229009Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.229009Z", + "id": "relationship--66e23c98-3405-4333-9d0c-6179a1eaddee", + "modified": "2023-10-27T20:54:34.229009Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.230005Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Run searches against the spotlight database.", + "event_id": "mdfind", + "id": "x-mitre-sensor-mapping--1ae9ee07-8995-411f-8aa1-fdb2fb5204b8", + "modified": "2023-10-27T20:54:34.230005Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.230005Z", + "id": "relationship--2512948d-89b1-4960-9c96-5550858d3baa", + "modified": "2023-10-27T20:54:34.230005Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.231041Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Query file metadata in the Spotlight database.", + "event_id": "mdls", + "id": "x-mitre-sensor-mapping--107d35e1-b984-421a-b4c6-f9c58d4fb221", + "modified": "2023-10-27T20:54:34.231041Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.231041Z", + "id": "relationship--223fcec8-a636-4a7f-b6ce-a8bfd133f67a", + "modified": "2023-10-27T20:54:34.231041Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.232052Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "suid binaries in common locations.", + "event_id": "suid_bin", + "id": "x-mitre-sensor-mapping--147f4ff3-fdc5-42d4-8170-6af703bbb89c", + "modified": "2023-10-27T20:54:34.232052Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.232052Z", + "id": "relationship--218c8845-a09d-4f7d-a2b6-9318031a2f4b", + "modified": "2023-10-27T20:54:34.232052Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.655922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "modified": "2023-10-27T20:54:33.655922Z", + "name": "File Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.233081Z", + "data_component": "File Modification", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "file_events", + "id": "x-mitre-sensor-mapping--ce1f0061-dc81-48cb-a99b-2a8216c8400d", + "modified": "2023-10-27T20:54:34.233081Z", + "relationship": "Modified", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.233629Z", + "id": "relationship--c4c05a57-ee27-4d71-b26e-890795f82c8c", + "modified": "2023-10-27T20:54:34.233629Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.233629Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2cbe4fb0-daf8-46db-9af6-9b43dd48284f", + "modified": "2023-10-27T20:54:34.233629Z", + "name": "Firewall Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.234171Z", + "data_component": "Firewall Enumeration", + "data_source": "Firewall", + "description": "ALF services explicitly allowed to perform networking.", + "event_id": "alf_explicit_auths", + "id": "x-mitre-sensor-mapping--e1a361d2-6547-4701-a802-72c59988f7f0", + "modified": "2023-10-27T20:54:34.234171Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.234717Z", + "id": "relationship--13ea2e54-2345-4a23-be2f-327101dbe49e", + "modified": "2023-10-27T20:54:34.234717Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2cbe4fb0-daf8-46db-9af6-9b43dd48284f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.235252Z", + "data_component": "Firewall Enumeration", + "data_source": "Firewall", + "description": "Linux IP packet filtering and NAT tool.", + "event_id": "iptables", + "id": "x-mitre-sensor-mapping--1a5d8ffd-5830-434b-8d22-c57b20707de5", + "modified": "2023-10-27T20:54:34.235252Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Firewall Rules", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.235252Z", + "id": "relationship--917fc46a-15a8-4100-9cb2-1af848981876", + "modified": "2023-10-27T20:54:34.235252Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2cbe4fb0-daf8-46db-9af6-9b43dd48284f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.236259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "modified": "2023-10-27T20:54:34.236259Z", + "name": "Firewall Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.236259Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "OS X application layer firewall (ALF) service details.", + "event_id": "alf", + "id": "x-mitre-sensor-mapping--4b0f438b-12d0-41bc-aced-32f463e30ac6", + "modified": "2023-10-27T20:54:34.236259Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.2373Z", + "id": "relationship--d624a044-71fa-40e4-ac13-f384499b4b8e", + "modified": "2023-10-27T20:54:34.2373Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.660871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "modified": "2023-10-27T20:54:33.660871Z", + "name": "Firewall Rule Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.2373Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "OS X application layer firewall (ALF) service exceptions", + "event_id": "alf_exceptions", + "id": "x-mitre-sensor-mapping--2fa0e59c-a5b3-4973-a66e-aeb168655608", + "modified": "2023-10-27T20:54:34.2373Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.238291Z", + "id": "relationship--455d6d76-8de0-4327-bc38-a49a0c37d6e2", + "modified": "2023-10-27T20:54:34.238291Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.238291Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "modified": "2023-10-27T20:54:34.238291Z", + "name": "Firmware Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.239418Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "BIOS (DMI) structure common details and content.", + "event_id": "smbios_tables", + "id": "x-mitre-sensor-mapping--fab9ef34-959f-4a2d-8b90-78da4b2fdb2b", + "modified": "2023-10-27T20:54:34.239418Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Bios (Dmi) Structure", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.239418Z", + "id": "relationship--dd2f27a6-0b55-41d2-be68-976a77592532", + "modified": "2023-10-27T20:54:34.239418Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.241332Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "Lists important information from the system bios.", + "event_id": "wmi_bios_info", + "id": "x-mitre-sensor-mapping--bf0c61cd-16c4-42c6-94ee-606d4fe0e3ee", + "modified": "2023-10-27T20:54:34.241332Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/Service", + "spec_version": "2.1", + "target": "Firmware", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.241332Z", + "id": "relationship--e328609d-b35a-437c-8c0a-bae32db37527", + "modified": "2023-10-27T20:54:34.241332Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.242341Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "OEM defined strings retrieved from SMBIOS.", + "event_id": "oem_strings", + "id": "x-mitre-sensor-mapping--a834a435-7217-4a10-a619-c9ed82c04def", + "modified": "2023-10-27T20:54:34.242341Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Firmware", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.243366Z", + "id": "relationship--9b9c52e3-11db-485b-8ddc-6f49df65fad9", + "modified": "2023-10-27T20:54:34.243366Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.243937Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "Information about EFI/UEFI/ROM and platform/boot.", + "event_id": "platform_info", + "id": "x-mitre-sensor-mapping--2f6d1fe4-6dc4-49ed-aa2d-7d66572a92d6", + "modified": "2023-10-27T20:54:34.243937Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Firmware", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.244487Z", + "id": "relationship--360cd49d-6fd4-4db9-ac61-675a6044ac11", + "modified": "2023-10-27T20:54:34.244487Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.245494Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "PCI devices active on the host system.", + "event_id": "pci_devices", + "id": "x-mitre-sensor-mapping--8a62899d-55b4-4f8a-81d6-30beffc2d51f", + "modified": "2023-10-27T20:54:34.245494Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Firmware", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.245494Z", + "id": "relationship--6707afb8-e105-489b-938c-5a41487fd00f", + "modified": "2023-10-27T20:54:34.245494Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.246525Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "Firmware ACPI functional table common metadata and content.", + "event_id": "acpi_tables", + "id": "x-mitre-sensor-mapping--23e89f62-9f51-42d8-a3c6-8015320b3e81", + "modified": "2023-10-27T20:54:34.246525Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Acpi Tables", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.246525Z", + "id": "relationship--39327350-4b34-4d7f-a1ca-64392ce23687", + "modified": "2023-10-27T20:54:34.246525Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.93106Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "modified": "2023-10-27T20:54:33.93106Z", + "name": "Group Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.247517Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Local system groups.", + "event_id": "groups", + "id": "x-mitre-sensor-mapping--28505a71-b0ba-41a2-897d-c2f1b46f7736", + "modified": "2023-10-27T20:54:34.247517Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Groups", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.247517Z", + "id": "relationship--01f330d8-375d-4d9f-a751-3282418fa6e3", + "modified": "2023-10-27T20:54:34.247517Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.248542Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Local system user group relationships.", + "event_id": "user_groups", + "id": "x-mitre-sensor-mapping--4f6cf0f4-fb1d-4e55-83b6-9c2bf514f7a9", + "modified": "2023-10-27T20:54:34.248542Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.248542Z", + "id": "relationship--096c7ca1-4b68-48ba-9e4a-f772c7fae965", + "modified": "2023-10-27T20:54:34.248542Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.666871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "modified": "2023-10-27T20:54:33.666871Z", + "name": "Host Status", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.249548Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.", + "event_id": "hardware_events", + "id": "x-mitre-sensor-mapping--b10a6daa-f5e0-425e-93e4-263e539c6b17", + "modified": "2023-10-27T20:54:34.249548Z", + "relationship": "Inserted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.249548Z", + "id": "relationship--27eab41b-7856-4f4b-8f2a-4412e2df53d9", + "modified": "2023-10-27T20:54:34.249548Z", + "relationship_type": "Inserted", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.250575Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.", + "event_id": "hardware_events", + "id": "x-mitre-sensor-mapping--da0fe080-e091-488c-98c9-76684d271540", + "modified": "2023-10-27T20:54:34.250575Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.250575Z", + "id": "relationship--2c974550-6358-40a6-ba17-8a56bf22fc92", + "modified": "2023-10-27T20:54:34.250575Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.251577Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.", + "event_id": "hardware_events", + "id": "x-mitre-sensor-mapping--34765f3d-d411-46cc-92ad-2c38ae3a9ca2", + "modified": "2023-10-27T20:54:34.251577Z", + "relationship": "Removed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.251577Z", + "id": "relationship--726ba1cf-15be-4905-affd-62fb096234f2", + "modified": "2023-10-27T20:54:34.251577Z", + "relationship_type": "Removed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.252615Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Data associated with errors of a physical memory array.", + "event_id": "memory_error_info", + "id": "x-mitre-sensor-mapping--5419e457-53b5-4d50-831b-968365bd0b9a", + "modified": "2023-10-27T20:54:34.252615Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.253152Z", + "id": "relationship--b4af363f-015d-4c65-a702-614fa364dc54", + "modified": "2023-10-27T20:54:34.253152Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.253697Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "A summary about portage configurations like keywords, mask and unmask.", + "event_id": "portage_keywords", + "id": "x-mitre-sensor-mapping--a7884f0d-8ace-4342-96cd-f6851ce72039", + "modified": "2023-10-27T20:54:34.253697Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.253697Z", + "id": "relationship--55019482-bfe6-4c9c-bbbd-d4b68e908f12", + "modified": "2023-10-27T20:54:34.253697Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.254695Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "List of enabled portage USE values for specific package.", + "event_id": "portage_use", + "id": "x-mitre-sensor-mapping--6ffa38c6-1796-4ab1-8a9c-b7343523a891", + "modified": "2023-10-27T20:54:34.254695Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.256247Z", + "id": "relationship--3f7fca86-e8f4-4d68-b8fa-e6b4bd50b5ed", + "modified": "2023-10-27T20:54:34.256247Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.256247Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The installed DEB package database.", + "event_id": "deb_packages", + "id": "x-mitre-sensor-mapping--1438049f-998e-4474-abbb-e43c23ee66d3", + "modified": "2023-10-27T20:54:34.256247Z", + "relationship": "Read", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.257244Z", + "id": "relationship--b4def2c1-a466-44a5-9aa8-008013481653", + "modified": "2023-10-27T20:54:34.257244Z", + "relationship_type": "Read", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.258252Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Lists all npm packages in a directory or globally installed in a system.", + "event_id": "npm_packages", + "id": "x-mitre-sensor-mapping--ecf24101-972c-43e2-baed-ec76cccea089", + "modified": "2023-10-27T20:54:34.258252Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.25924Z", + "id": "relationship--9125997a-0e87-4448-8971-0d120caa3e49", + "modified": "2023-10-27T20:54:34.25924Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.26024Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "List of currently installed packages.", + "event_id": "portage_packages", + "id": "x-mitre-sensor-mapping--be36f076-b1a3-40ec-bd14-a6dff0cfaf06", + "modified": "2023-10-27T20:54:34.26024Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.261242Z", + "id": "relationship--26e184b2-6e2a-49a7-b8fa-ae3b249d7faf", + "modified": "2023-10-27T20:54:34.261242Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.261242Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.", + "event_id": "programs", + "id": "x-mitre-sensor-mapping--86999150-0d69-4117-ad92-4a157fa72064", + "modified": "2023-10-27T20:54:34.261242Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Registry Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.262246Z", + "id": "relationship--3c1a2747-fe06-45a9-8079-0c3cbd9d9171", + "modified": "2023-10-27T20:54:34.262246Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.262246Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Python packages installed in a system.", + "event_id": "python_packages", + "id": "x-mitre-sensor-mapping--f3897ca2-4253-4a61-a1ba-4bcfa6f886d2", + "modified": "2023-10-27T20:54:34.262246Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Script Installer", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.263302Z", + "id": "relationship--f0d623a8-995f-413b-9dce-a521c4f60197", + "modified": "2023-10-27T20:54:34.263302Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.26385Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "RPM packages that are currently installed on the host system.", + "event_id": "rpm_package_files", + "id": "x-mitre-sensor-mapping--43455ddb-e212-47cd-a100-6abba9eb170b", + "modified": "2023-10-27T20:54:34.26385Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.264399Z", + "id": "relationship--355cc10f-bbd9-45a1-a184-92e93a5dd15b", + "modified": "2023-10-27T20:54:34.264399Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.265394Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "RPM packages that are currently installed on the host system.", + "event_id": "rpm_packages", + "id": "x-mitre-sensor-mapping--13f79664-cc7f-4430-9c61-7790072e0834", + "modified": "2023-10-27T20:54:34.265394Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.265394Z", + "id": "relationship--b778fb84-3e86-4f11-a053-9882e3e2288f", + "modified": "2023-10-27T20:54:34.265394Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.266444Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Current list of APT repositories or software channels.", + "event_id": "apt_sources", + "id": "x-mitre-sensor-mapping--af2cefe0-d703-467f-9423-f2ee64339c54", + "modified": "2023-10-27T20:54:34.266444Z", + "relationship": "Read", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.266444Z", + "id": "relationship--6c518168-625d-4b84-86fb-15da50fb168e", + "modified": "2023-10-27T20:54:34.266444Z", + "relationship_type": "Read", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.267448Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Track SELinux events.", + "event_id": "selinux_events", + "id": "x-mitre-sensor-mapping--ccb2bfd6-3161-4516-a70a-980098a3211e", + "modified": "2023-10-27T20:54:34.267448Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.267448Z", + "id": "relationship--4f94f0a3-92cb-4c38-85b2-2eb2b3fa1dd0", + "modified": "2023-10-27T20:54:34.267448Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.268468Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Track active SELinux settings.", + "event_id": "selinux_settings", + "id": "x-mitre-sensor-mapping--dfc62099-1b1e-4ab1-a275-a71efc773456", + "modified": "2023-10-27T20:54:34.268468Z", + "relationship": "Read", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.268468Z", + "id": "relationship--2c10bd16-a5ea-4d2c-98af-1d281b91e6e6", + "modified": "2023-10-27T20:54:34.268468Z", + "relationship_type": "Read", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.269485Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "OS X application schemes and handlers (e.g., http, file, mailto).", + "event_id": "app_schemes", + "id": "x-mitre-sensor-mapping--2ee0d5eb-c8d2-4151-9711-012bd1b1db39", + "modified": "2023-10-27T20:54:34.269485Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status (Configuration)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.269485Z", + "id": "relationship--fed574a6-891b-4639-8e08-4c1f497c9109", + "modified": "2023-10-27T20:54:34.269485Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.27056Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).", + "event_id": "patches", + "id": "x-mitre-sensor-mapping--c6cee60d-7c79-406a-baa3-4c215b738ba4", + "modified": "2023-10-27T20:54:34.27056Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.27056Z", + "id": "relationship--64bd68c9-bf2a-446f-9d2f-82b1193e76de", + "modified": "2023-10-27T20:54:34.27056Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.271508Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors.", + "event_id": "winbaseobj", + "id": "x-mitre-sensor-mapping--5acc1228-05dc-4591-b93f-41c3080afbf0", + "modified": "2023-10-27T20:54:34.271508Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.27255Z", + "id": "relationship--b504a9eb-13cb-41fa-b8c1-72a302bc902a", + "modified": "2023-10-27T20:54:34.27255Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.274146Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "System information for identification.", + "event_id": "system_info", + "id": "x-mitre-sensor-mapping--df088393-5afc-46b0-a21e-cb7ea5a519f7", + "modified": "2023-10-27T20:54:34.274146Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.274677Z", + "id": "relationship--490ce745-7782-4a1d-92cf-fabafd316f7e", + "modified": "2023-10-27T20:54:34.274677Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.275675Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Provides information about the internal battery of a Macbook.", + "event_id": "battery", + "id": "x-mitre-sensor-mapping--18b03594-5f55-4d94-a95f-04393f566109", + "modified": "2023-10-27T20:54:34.275675Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.275675Z", + "id": "relationship--3d7fefd1-e5bd-4244-b913-1963b26dbec4", + "modified": "2023-10-27T20:54:34.275675Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.276721Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.", + "event_id": "block_devices", + "id": "x-mitre-sensor-mapping--7e9bca5a-2a01-45e5-8724-2f21d57d61dc", + "modified": "2023-10-27T20:54:34.276721Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.276721Z", + "id": "relationship--8aaee8d0-f3cc-470c-a9df-a68c09af28cc", + "modified": "2023-10-27T20:54:34.276721Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.277728Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Display information pertaining to the chassis and its security status.", + "event_id": "chassis_info", + "id": "x-mitre-sensor-mapping--e69e790a-5a2c-4f01-a926-8c89c42749db", + "modified": "2023-10-27T20:54:34.277728Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.278735Z", + "id": "relationship--53d52c0b-8b69-4236-b6a0-a3bf8338b79d", + "modified": "2023-10-27T20:54:34.278735Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.278735Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Useful CPU features from the cpuid ASM call.", + "event_id": "cpuid", + "id": "x-mitre-sensor-mapping--06e556d4-c1fc-4fd3-9bfe-95394242aa9a", + "modified": "2023-10-27T20:54:34.278735Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.27975Z", + "id": "relationship--5d21c2ec-3bb2-470f-a6d1-0920087aba31", + "modified": "2023-10-27T20:54:34.27975Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.27975Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Info about the CPU running on the machine.", + "event_id": "cpu_info", + "id": "x-mitre-sensor-mapping--c9a5bb37-3442-4f3d-8851-5cbc8486775d", + "modified": "2023-10-27T20:54:34.27975Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.280772Z", + "id": "relationship--14a31eaa-9a20-43bf-885b-a1acf48861bd", + "modified": "2023-10-27T20:54:34.280772Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.280772Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.", + "event_id": "cpu_time", + "id": "x-mitre-sensor-mapping--0b28ad3e-1f21-456f-ac2d-5da11e96e06e", + "modified": "2023-10-27T20:54:34.280772Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.281789Z", + "id": "relationship--309bbae9-5a02-46ec-9b3e-4fad793a4fa2", + "modified": "2023-10-27T20:54:34.281789Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.281789Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Extracted information from Windows crash logs (Minidumps).", + "event_id": "windows_crashes", + "id": "x-mitre-sensor-mapping--d59c35bb-70e0-4269-83bf-7826e1f9cf49", + "modified": "2023-10-27T20:54:34.281789Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.282816Z", + "id": "relationship--abd7cd5c-2200-4c1a-ab41-1f7899ce2ebf", + "modified": "2023-10-27T20:54:34.282816Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.283367Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Application, System, and Mobile App crash logs.", + "event_id": "crashes", + "id": "x-mitre-sensor-mapping--806a2841-8ca8-4e45-8b3b-b6591cb7a6e1", + "modified": "2023-10-27T20:54:34.283367Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.283927Z", + "id": "relationship--9f5f18dd-fd90-4a8f-9638-9fb221abe4bf", + "modified": "2023-10-27T20:54:34.283927Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.283927Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Default environment variables and values.", + "event_id": "default_environment", + "id": "x-mitre-sensor-mapping--aeaec996-60f5-4ceb-b36c-5447094757f5", + "modified": "2023-10-27T20:54:34.283927Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.284925Z", + "id": "relationship--44b22f2b-521f-45ed-8b7e-561b8b96e84f", + "modified": "2023-10-27T20:54:34.284925Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.284925Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "OS X defaults and managed preferences.", + "event_id": "preferences", + "id": "x-mitre-sensor-mapping--86aadc40-2a49-4aa2-bbbd-b507c23b4eae", + "modified": "2023-10-27T20:54:34.284925Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Osx Preferences", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.286045Z", + "id": "relationship--b69b17dc-8c13-4ff2-a0c7-ef9517b8e2ee", + "modified": "2023-10-27T20:54:34.286045Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.28696Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "A best-effort list of discovered firmware versions.", + "event_id": "device_firmware", + "id": "x-mitre-sensor-mapping--032e178c-5cf7-4a7f-b596-f43e8470228a", + "modified": "2023-10-27T20:54:34.28696Z", + "relationship": "Read", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.287958Z", + "id": "relationship--e984f1cd-0e5f-4680-bcda-c25345efc729", + "modified": "2023-10-27T20:54:34.287958Z", + "relationship_type": "Read", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.288954Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Queries the Apple System Log data structure for system events", + "event_id": "asl", + "id": "x-mitre-sensor-mapping--f11e9878-7c72-419a-a446-7933f3ae1f4d", + "modified": "2023-10-27T20:54:34.288954Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.288954Z", + "id": "relationship--ea2ed9e1-9f99-4d6c-9445-f219d0f0ded2", + "modified": "2023-10-27T20:54:34.288954Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.289954Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Returns information about installed event taps.", + "event_id": "event_taps", + "id": "x-mitre-sensor-mapping--29ba1692-d99c-45f0-95fc-7ee75fd1be87", + "modified": "2023-10-27T20:54:34.289954Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.289954Z", + "id": "relationship--6a63a9e3-6b36-439f-990d-31babe53c78c", + "modified": "2023-10-27T20:54:34.289954Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.290955Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Fan speeds.", + "event_id": "fan_speed_sensors", + "id": "x-mitre-sensor-mapping--92845954-17d9-4e18-9392-87f396645060", + "modified": "2023-10-27T20:54:34.290955Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.290955Z", + "id": "relationship--9567a6ff-7a03-4cd9-b0ab-889a63a819c5", + "modified": "2023-10-27T20:54:34.290955Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.291953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Retrieve video card information of the machine.", + "event_id": "video_info", + "id": "x-mitre-sensor-mapping--a837af14-286d-4525-8bdc-81947bbff5a2", + "modified": "2023-10-27T20:54:34.291953Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.292953Z", + "id": "relationship--7d4da70d-8682-44e4-92f5-c429e7aba84a", + "modified": "2023-10-27T20:54:34.292953Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.292953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Retrieve HVCI info of the machine.", + "event_id": "hvci_status", + "id": "x-mitre-sensor-mapping--3d91258f-9dfb-499a-9978-4eeb3837bafc", + "modified": "2023-10-27T20:54:34.292953Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status (Configuration)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.293954Z", + "id": "relationship--83335d12-1cf3-44e4-8a02-141c97f2b0a4", + "modified": "2023-10-27T20:54:34.293954Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.293954Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Information about the Apple iBridge hardware controller.", + "event_id": "ibridge_info", + "id": "x-mitre-sensor-mapping--38de6bff-4b1e-47e1-80f4-5c6c0c84a697", + "modified": "2023-10-27T20:54:34.293954Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.294953Z", + "id": "relationship--2b4307cc-8f45-40db-91f4-53f4fd6d1343", + "modified": "2023-10-27T20:54:34.294953Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.294953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class.", + "event_id": "windows_optional_features", + "id": "x-mitre-sensor-mapping--4aaeba74-78cd-4ebc-8bdb-810d4a8ffac3", + "modified": "2023-10-27T20:54:34.294953Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Windows Features", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.295953Z", + "id": "relationship--5db5de60-293c-4093-9ee4-5744b53bea04", + "modified": "2023-10-27T20:54:34.295953Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.295953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "OS X applications installed in known search paths (e.g., /Applications)", + "event_id": "apps", + "id": "x-mitre-sensor-mapping--abc2c400-e10d-4b4e-a299-9b5934551204", + "modified": "2023-10-27T20:54:34.295953Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Osx Applications", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.296952Z", + "id": "relationship--3362170b-89fb-4cca-a3e6-525bcee757f7", + "modified": "2023-10-27T20:54:34.296952Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.297952Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Apple's System Integrity Protection (rootless) status.", + "event_id": "sip_config", + "id": "x-mitre-sensor-mapping--45c8c6d6-90e9-4c0c-bac0-4da264573853", + "modified": "2023-10-27T20:54:34.297952Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "System Integrity Protection", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.297952Z", + "id": "relationship--c54209f8-f4ba-4b12-b4be-eba231dac5be", + "modified": "2023-10-27T20:54:34.297952Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.298953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Intel ME/CSE Info.", + "event_id": "intel_me_info", + "id": "x-mitre-sensor-mapping--a4968c07-cb08-4c45-a3ae-7d5587162e8f", + "modified": "2023-10-27T20:54:34.298953Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.298953Z", + "id": "relationship--eb239c70-bc88-4f97-bc20-f1c2fbaf7586", + "modified": "2023-10-27T20:54:34.298953Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.299952Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "System kernel panic logs.", + "event_id": "kernel_panics", + "id": "x-mitre-sensor-mapping--40cbeb3c-fa3c-418e-b2b0-02b02f0e3fba", + "modified": "2023-10-27T20:54:34.299952Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status (System Crash Data)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.299952Z", + "id": "relationship--72431dc3-0f6f-4fb9-8900-ebcfd7f17e62", + "modified": "2023-10-27T20:54:34.299952Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.300952Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "sysctl names, values, and settings information.", + "event_id": "system_controls", + "id": "x-mitre-sensor-mapping--a6de5ffa-1ad8-4aa7-96f0-18df2c0b5e94", + "modified": "2023-10-27T20:54:34.300952Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.300952Z", + "id": "relationship--b598bb9d-745c-41fd-abdb-88fbb0ffc6ae", + "modified": "2023-10-27T20:54:34.300952Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.301952Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Applications that have ACL entries in the keychain.", + "event_id": "keychain_acls", + "id": "x-mitre-sensor-mapping--b65992e0-3e6b-42cb-8234-3c1a25aab8c8", + "modified": "2023-10-27T20:54:34.301952Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.303057Z", + "id": "relationship--f1200f85-f2c9-47f2-adff-c42441407de5", + "modified": "2023-10-27T20:54:34.303057Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.303695Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Generic details about keychain items.", + "event_id": "keychain_items", + "id": "x-mitre-sensor-mapping--270f2b0f-25fd-4119-8ef5-8d18d3e8ec9f", + "modified": "2023-10-27T20:54:34.303695Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.304379Z", + "id": "relationship--e3c38ddb-11fb-4f58-977d-b19073b5f9cf", + "modified": "2023-10-27T20:54:34.304379Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.305364Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Main memory information in bytes.", + "event_id": "memory_info", + "id": "x-mitre-sensor-mapping--cb2e3d29-d4a0-4005-935e-0df1419a26be", + "modified": "2023-10-27T20:54:34.305364Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.305364Z", + "id": "relationship--443de89d-c97a-48af-9920-85836f2c623a", + "modified": "2023-10-27T20:54:34.305364Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.306421Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "OS memory region map.", + "event_id": "memory_map", + "id": "x-mitre-sensor-mapping--9a80362e-c18c-43c2-bc74-1a324d526804", + "modified": "2023-10-27T20:54:34.306421Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.306421Z", + "id": "relationship--10f9fa1f-de6f-469b-a11e-320f929b500a", + "modified": "2023-10-27T20:54:34.306421Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.307415Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Booleans about Windows network connectivity.", + "event_id": "connectivity", + "id": "x-mitre-sensor-mapping--6b6913e4-2a4d-4981-a7ca-97d56ed3476d", + "modified": "2023-10-27T20:54:34.307415Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.308403Z", + "id": "relationship--758652e3-a7eb-4d87-954a-36cd0a28528b", + "modified": "2023-10-27T20:54:34.308403Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.308403Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Display basic NT domain information of a Windows machine.", + "event_id": "ntdomains", + "id": "x-mitre-sensor-mapping--5bab44a3-8482-4e86-966c-eca1317d1a49", + "modified": "2023-10-27T20:54:34.308403Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.309474Z", + "id": "relationship--0f10e5ac-8f61-41ed-8f25-51c37fd9c4d3", + "modified": "2023-10-27T20:54:34.309474Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.309474Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "A single row containing the operating system name and version.", + "event_id": "os_version", + "id": "x-mitre-sensor-mapping--c2e11f7a-cbf8-4563-8863-52cae38ac134", + "modified": "2023-10-27T20:54:34.309474Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.310489Z", + "id": "relationship--9e82f667-0531-4561-a0f3-aab79a59f748", + "modified": "2023-10-27T20:54:34.310489Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.312529Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Returns all completed print jobs from cups.", + "event_id": "cups_jobs", + "id": "x-mitre-sensor-mapping--2b8f4073-a40b-4266-beae-fdd02e71b41b", + "modified": "2023-10-27T20:54:34.312529Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Printer Jobs", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.312529Z", + "id": "relationship--9303b78b-97ba-458c-93c5-c194e97930f6", + "modified": "2023-10-27T20:54:34.312529Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.313533Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Returns all configured printers.", + "event_id": "cups_destinations", + "id": "x-mitre-sensor-mapping--ca3d4138-4d63-40a5-abbd-222ef91a84ee", + "modified": "2023-10-27T20:54:34.313533Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Printer Info", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.314589Z", + "id": "relationship--e1b87c77-40ea-40fa-8d90-0e3361fe6807", + "modified": "2023-10-27T20:54:34.314589Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.315671Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Enumeration of registered Windows security products.", + "event_id": "windows_security_products", + "id": "x-mitre-sensor-mapping--df263631-baaf-4e88-9e23-89f11c80344b", + "modified": "2023-10-27T20:54:34.315671Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Windows Security Products", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.315671Z", + "id": "relationship--960d9cde-7291-4eab-b5e8-fefdb9256e40", + "modified": "2023-10-27T20:54:34.315671Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.316694Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "System resource usage limits.", + "event_id": "ulimit_info", + "id": "x-mitre-sensor-mapping--652c8b37-f04b-4b70-afdf-11adb631806d", + "modified": "2023-10-27T20:54:34.316694Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.316694Z", + "id": "relationship--1cfdb14d-ccb0-47b9-83cf-5d0186728314", + "modified": "2023-10-27T20:54:34.316694Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.317773Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Track AppArmor (security auditing) events.", + "event_id": "apparmor_events", + "id": "x-mitre-sensor-mapping--9e250d4a-237a-45c7-946a-8171d650f2be", + "modified": "2023-10-27T20:54:34.317773Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.31871Z", + "id": "relationship--9beb5c4d-c3a9-4c5f-b36d-357743a26a11", + "modified": "2023-10-27T20:54:34.31871Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.31928Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Track active AppArmor profiles.", + "event_id": "apparmor_profiles", + "id": "x-mitre-sensor-mapping--e48b0c8e-6ec1-456f-8592-ddea702508f2", + "modified": "2023-10-27T20:54:34.31928Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.31928Z", + "id": "relationship--240e0768-3351-41b2-8891-9b8d55cd685d", + "modified": "2023-10-27T20:54:34.31928Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.320294Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The health status of Window Security features. Health values can be \"Good\", \"Poor\". \"Snoozed\", \"Not Monitored\", and \"Error\".", + "event_id": "windows_security_center", + "id": "x-mitre-sensor-mapping--dfbb6200-c024-458d-b40e-1c43cf763eab", + "modified": "2023-10-27T20:54:34.320294Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.320294Z", + "id": "relationship--18900212-a99a-474c-aac5-5835bbec965a", + "modified": "2023-10-27T20:54:34.320294Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.321362Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.", + "event_id": "shared_resources", + "id": "x-mitre-sensor-mapping--03e11a47-1137-45b4-b846-6b3c86231506", + "modified": "2023-10-27T20:54:34.321362Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Shared Resources", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.321362Z", + "id": "relationship--85465530-53f9-47a1-a3ca-1cb90cc20bb9", + "modified": "2023-10-27T20:54:34.321362Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.322361Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Rules for running commands as other users via sudo.", + "event_id": "sudoers", + "id": "x-mitre-sensor-mapping--b995d606-6bd4-4079-a7df-f50a23e746e7", + "modified": "2023-10-27T20:54:34.322361Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.322361Z", + "id": "relationship--b98034ae-555b-4db4-9dfa-f82bc206f640", + "modified": "2023-10-27T20:54:34.322361Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.323362Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Linux syslog events.", + "event_id": "syslog_events", + "id": "x-mitre-sensor-mapping--437edace-c374-4b06-a3a9-9f13c473fe4b", + "modified": "2023-10-27T20:54:34.323362Z", + "relationship": "Updated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.324588Z", + "id": "relationship--0bb863ca-9c4c-46de-af66-c53b517fcf6f", + "modified": "2023-10-27T20:54:34.324588Z", + "relationship_type": "Updated", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.325586Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Database of the machine's XProtect browser-related signatures.", + "event_id": "xprotect_meta", + "id": "x-mitre-sensor-mapping--8c587ea9-6f12-4685-b906-4810c5c2cdd3", + "modified": "2023-10-27T20:54:34.325586Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.326575Z", + "id": "relationship--0d16d3e5-3d05-4536-8724-68c7431d8bb3", + "modified": "2023-10-27T20:54:34.326575Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.327046Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Database of the machine's XProtect signatures.", + "event_id": "xprotect_entries", + "id": "x-mitre-sensor-mapping--6c5a2d42-22a6-4b85-9c99-326e8f0c7ec8", + "modified": "2023-10-27T20:54:34.327046Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.327569Z", + "id": "relationship--7aac2f65-3739-498b-823d-f3343846c345", + "modified": "2023-10-27T20:54:34.327569Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.328569Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Database of XProtect matches (if user generated/sent an XProtect report).", + "event_id": "xprotect_reports", + "id": "x-mitre-sensor-mapping--d7e56be6-10ca-4a69-bc3d-e84f52df5b10", + "modified": "2023-10-27T20:54:34.328569Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.328569Z", + "id": "relationship--f731bfaa-cd54-4fce-9fa7-0f55fd1e90e6", + "modified": "2023-10-27T20:54:34.328569Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.329569Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--eb6317db-f95f-4132-a7dc-48f331591b13", + "modified": "2023-10-27T20:54:34.329569Z", + "name": "Image Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.329569Z", + "data_component": "Image Metadata", + "data_source": "Image", + "description": "OS X application sandboxes container details.", + "event_id": "sandboxes", + "id": "x-mitre-sensor-mapping--75b319ec-948c-4259-925c-bad184b363da", + "modified": "2023-10-27T20:54:34.329569Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Image", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0007" + }, + { + "created": "2023-10-27T20:54:34.33057Z", + "id": "relationship--1da6954f-7c83-41f0-b4c8-85793def1e54", + "modified": "2023-10-27T20:54:34.33057Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eb6317db-f95f-4132-a7dc-48f331591b13", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.33057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "modified": "2023-10-27T20:54:34.33057Z", + "name": "Kernel Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.331569Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Data associated for address mapping of physical memory arrays.", + "event_id": "memory_array_mapped_addresses", + "id": "x-mitre-sensor-mapping--2111462a-c678-4e79-afbe-74b730cda96e", + "modified": "2023-10-27T20:54:34.331569Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.331569Z", + "id": "relationship--7194059d-a19d-4f4a-9218-3cebcd30dec8", + "modified": "2023-10-27T20:54:34.331569Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.333584Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Data associated for address mapping of physical memory devices.", + "event_id": "memory_device_mapped_addresses", + "id": "x-mitre-sensor-mapping--e376a57d-9ff2-4a9e-8d0f-82afc586d7b9", + "modified": "2023-10-27T20:54:34.333584Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.333584Z", + "id": "relationship--0ce84687-43f3-4177-b74c-92d90e9e9308", + "modified": "2023-10-27T20:54:34.333584Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.334623Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Data associated with collection of memory devices that operate to form a memory address.", + "event_id": "memory_arrays", + "id": "x-mitre-sensor-mapping--1a4238b6-26f8-425f-9a24-8b145d0d105a", + "modified": "2023-10-27T20:54:34.334623Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.334623Z", + "id": "relationship--5d6ce1c6-4311-437d-830d-e911e7f766ab", + "modified": "2023-10-27T20:54:34.334623Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.335683Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Physical memory device (type 17) information retrieved from SMBIOS.", + "event_id": "memory_devices", + "id": "x-mitre-sensor-mapping--6031d79b-55bd-4665-a068-ab3f338fc5fd", + "modified": "2023-10-27T20:54:34.335683Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.33668Z", + "id": "relationship--cf8f9d48-e292-4db3-81bf-b9c83b725f61", + "modified": "2023-10-27T20:54:34.33668Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.33668Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "OS shared memory regions.", + "event_id": "shared_memory", + "id": "x-mitre-sensor-mapping--dac085fb-6d2d-4ce6-9c15-bb9812db5e61", + "modified": "2023-10-27T20:54:34.33668Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.337675Z", + "id": "relationship--a2022705-272f-4e15-99ef-d70964fea848", + "modified": "2023-10-27T20:54:34.337675Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.337675Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Darwin Virtual Memory statistics.", + "event_id": "virtual_memory_info", + "id": "x-mitre-sensor-mapping--5a495ae8-7c47-493b-b171-1b3d42278f51", + "modified": "2023-10-27T20:54:34.337675Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.338668Z", + "id": "relationship--f5239dbe-8afe-4837-aa5a-9f839cd62b8e", + "modified": "2023-10-27T20:54:34.338668Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.339673Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "OS X's kernel extensions, both loaded and within the load search path.", + "event_id": "kernel_extensions", + "id": "x-mitre-sensor-mapping--cde1a64d-5ae1-4700-a702-db0b7ec249b6", + "modified": "2023-10-27T20:54:34.339673Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kernel Module", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.339673Z", + "id": "relationship--47b9f54f-5e09-438b-b826-30c5ae153ca5", + "modified": "2023-10-27T20:54:34.339673Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.340669Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Basic active kernel information.", + "event_id": "kernel_info", + "id": "x-mitre-sensor-mapping--ff146701-7844-4a77-8ad0-af9b1494b2d7", + "modified": "2023-10-27T20:54:34.340669Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.341667Z", + "id": "relationship--ad7ff227-4562-4444-b848-54e303574274", + "modified": "2023-10-27T20:54:34.341667Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.342672Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Display kernel virtual address and speculative execution information for the system.", + "event_id": "kva_speculative_info", + "id": "x-mitre-sensor-mapping--ac974919-8681-49f1-8f03-fc1373e574ba", + "modified": "2023-10-27T20:54:34.342672Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Kernel Virtual Address", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.342672Z", + "id": "relationship--e7dd418b-390f-4032-b43e-bde65b2a77cb", + "modified": "2023-10-27T20:54:34.342672Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.343671Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--9e564c43-b8f9-44f9-b2a8-7b525590733e", + "modified": "2023-10-27T20:54:34.343671Z", + "name": "Kernel Module Load", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.344673Z", + "data_component": "Kernel Module Load", + "data_source": "Kernel", + "description": "OS X Authorization mechanisms database.", + "event_id": "authorization_mechanisms", + "id": "x-mitre-sensor-mapping--d883c58f-4e8c-4f86-a7d8-255c0fd7cfd7", + "modified": "2023-10-27T20:54:34.344673Z", + "relationship": "Loaded", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kernel Module", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.344673Z", + "id": "relationship--dabf4324-5af3-4b1d-9671-49421184a5d1", + "modified": "2023-10-27T20:54:34.344673Z", + "relationship_type": "Loaded", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9e564c43-b8f9-44f9-b2a8-7b525590733e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.345757Z", + "data_component": "Kernel Module Load", + "data_source": "Kernel", + "description": "Loaded FreeBSD kernel modules.", + "event_id": "fbsd_kmods", + "id": "x-mitre-sensor-mapping--816da180-4a74-45e1-88b8-25695757cb6a", + "modified": "2023-10-27T20:54:34.345757Z", + "relationship": "Loaded", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Kernel Module", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.345757Z", + "id": "relationship--455c60fd-9c2a-47ac-915b-a4d6f10d7475", + "modified": "2023-10-27T20:54:34.345757Z", + "relationship_type": "Loaded", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9e564c43-b8f9-44f9-b2a8-7b525590733e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.346751Z", + "data_component": "Kernel Module Load", + "data_source": "Kernel", + "description": "Linux kernel modules both loaded and within the load search path.", + "event_id": "kernel_modules", + "id": "x-mitre-sensor-mapping--ae5277e5-17d5-4bdb-99d3-3f6533c1af3c", + "modified": "2023-10-27T20:54:34.346751Z", + "relationship": "Loaded", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel Modules", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.346751Z", + "id": "relationship--10c7ab6c-0580-4fa0-91c4-264a5178a379", + "modified": "2023-10-27T20:54:34.346751Z", + "relationship_type": "Loaded", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9e564c43-b8f9-44f9-b2a8-7b525590733e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.672871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "modified": "2023-10-27T20:54:33.672871Z", + "name": "Logon Session Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.34775Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Users with an active shell on the system.", + "event_id": "logged_in_users", + "id": "x-mitre-sensor-mapping--148906b2-6328-43c0-b52d-d804ef760656", + "modified": "2023-10-27T20:54:34.34775Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Logon Session Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.348761Z", + "id": "relationship--93e1eb24-3975-4b0b-b216-d16e7aee5f89", + "modified": "2023-10-27T20:54:34.348761Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.348761Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "System logins and logouts.", + "event_id": "last", + "id": "x-mitre-sensor-mapping--2f01133d-ac36-4adc-a8c1-d4be25cef5a1", + "modified": "2023-10-27T20:54:34.348761Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Logon Session Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.349744Z", + "id": "relationship--0b246f91-4b81-4882-aa46-386d10e136c0", + "modified": "2023-10-27T20:54:34.349744Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.349744Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Windows Logon Session.", + "event_id": "logon_sessions", + "id": "x-mitre-sensor-mapping--1bcb2a4f-4d31-44c6-9f27-810d977b5620", + "modified": "2023-10-27T20:54:34.349744Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Logon Session Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.350747Z", + "id": "relationship--335cdb9a-fb46-4dcc-83b3-eb077087f42b", + "modified": "2023-10-27T20:54:34.350747Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.350747Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--76030842-1fa0-431f-b821-0d683b3946ab", + "modified": "2023-10-27T20:54:34.350747Z", + "name": "Named Pipe Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.351751Z", + "data_component": "Named Pipe Enumeration", + "data_source": "Named Pipe", + "description": "Named and Anonymous pipes.", + "event_id": "pipes", + "id": "x-mitre-sensor-mapping--9770c533-68ec-4477-b56b-5194f9c5b3aa", + "modified": "2023-10-27T20:54:34.351751Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Named Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.351751Z", + "id": "relationship--64a566a1-25d9-4c98-ba2a-01263804b42a", + "modified": "2023-10-27T20:54:34.351751Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--76030842-1fa0-431f-b821-0d683b3946ab", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.352744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "modified": "2023-10-27T20:54:34.352744Z", + "name": "Network Share Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.352744Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "System mounted devices and filesystems (not process specific).", + "event_id": "mounts", + "id": "x-mitre-sensor-mapping--0b2056ef-de3c-4e1d-b450-6b33adca37c0", + "modified": "2023-10-27T20:54:34.352744Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.353747Z", + "id": "relationship--13e24f63-22ee-4da3-8c55-2fdcdc752c5a", + "modified": "2023-10-27T20:54:34.353747Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.354693Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "Folders available to others via SMB or AFP.", + "event_id": "shared_folders", + "id": "x-mitre-sensor-mapping--a81ed573-00c8-4d06-b0f5-a107bcdf94fc", + "modified": "2023-10-27T20:54:34.354693Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.354693Z", + "id": "relationship--5db32815-fd40-463f-870e-f56f936a969f", + "modified": "2023-10-27T20:54:34.354693Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.355693Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "NFS shares exported by the host.", + "event_id": "nfs_shares", + "id": "x-mitre-sensor-mapping--860645bb-da5e-4c74-b6b2-4262cfedca18", + "modified": "2023-10-27T20:54:34.355693Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.355693Z", + "id": "relationship--625ef5d5-84ca-41c9-8091-93646b8cee60", + "modified": "2023-10-27T20:54:34.355693Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.356762Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "OS X Sharing preferences.", + "event_id": "sharing_preferences", + "id": "x-mitre-sensor-mapping--21380588-6392-4b9f-9838-11065cf5dbcf", + "modified": "2023-10-27T20:54:34.356762Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.358765Z", + "id": "relationship--9ee989ef-2418-4ee7-91ef-3a5d3c087afc", + "modified": "2023-10-27T20:54:34.358765Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.359765Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "modified": "2023-10-27T20:54:34.359765Z", + "name": "Network Status", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.359765Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Address resolution cache, both static and dynamic (from ARP, NDP)", + "event_id": "arp_cache", + "id": "x-mitre-sensor-mapping--4ea3f298-ce1e-404d-a34b-20fdba174606", + "modified": "2023-10-27T20:54:34.359765Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Arp Cache", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.360774Z", + "id": "relationship--18cb2878-9643-45ea-8dcf-71d71a575513", + "modified": "2023-10-27T20:54:34.360774Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.361769Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.", + "event_id": "dns_cache", + "id": "x-mitre-sensor-mapping--62dd2bca-ce3e-47de-a888-36f6f5c22308", + "modified": "2023-10-27T20:54:34.361769Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Dns Cache", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.361769Z", + "id": "relationship--3591fc91-3640-44f2-917a-42b75d0c8b6f", + "modified": "2023-10-27T20:54:34.361769Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.363684Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Resolvers used by this host.", + "event_id": "dns_resolvers", + "id": "x-mitre-sensor-mapping--b6d3e3e0-5dc7-4116-b6d9-77cd4b4fe7ee", + "modified": "2023-10-27T20:54:34.363684Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Dns Resolvers", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.363684Z", + "id": "relationship--2c5c3dd2-7f15-431c-a681-b65084a01121", + "modified": "2023-10-27T20:54:34.363684Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.364806Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "LLDP neighbors of interfaces.", + "event_id": "lldp_neighbors", + "id": "x-mitre-sensor-mapping--d4082d38-d2a1-4f82-8e03-eb34ba744a83", + "modified": "2023-10-27T20:54:34.364806Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Lldp Neighbor", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.364806Z", + "id": "relationship--6d78598c-260d-4766-8ae4-3fffcde1cd0d", + "modified": "2023-10-27T20:54:34.364806Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.365833Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Line-parsed /etc/protocols.", + "event_id": "etc_protocols", + "id": "x-mitre-sensor-mapping--0b0949b2-aa5a-4186-bcbc-f287d015dde8", + "modified": "2023-10-27T20:54:34.365833Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Protocols", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.366774Z", + "id": "relationship--688c7a87-f2c3-4b92-abd2-ffa904b47db9", + "modified": "2023-10-27T20:54:34.366774Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.366774Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Line-parsed /etc/hosts.", + "event_id": "etc_hosts", + "id": "x-mitre-sensor-mapping--25669419-0729-4040-838d-1a26cf81e609", + "modified": "2023-10-27T20:54:34.366774Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Hosts", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.367849Z", + "id": "relationship--d268c3d1-2da9-4b54-8ce0-fecaffe7147f", + "modified": "2023-10-27T20:54:34.367849Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.367849Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Line-parsed /etc/services.", + "event_id": "etc_services", + "id": "x-mitre-sensor-mapping--4032577f-3050-47e4-949d-5dd276105118", + "modified": "2023-10-27T20:54:34.367849Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Services", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.368856Z", + "id": "relationship--d64d220b-75e6-4434-af8b-c74150e68764", + "modified": "2023-10-27T20:54:34.368856Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.369855Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "The active route table for the host system.", + "event_id": "routes", + "id": "x-mitre-sensor-mapping--27157ac3-41d9-4396-b4bd-6068a889466c", + "modified": "2023-10-27T20:54:34.369855Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Routes", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.369855Z", + "id": "relationship--30359067-8a6a-4f57-8f99-0f8a4e6a4eb1", + "modified": "2023-10-27T20:54:34.369855Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.371116Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Detailed information and stats of network interfaces.", + "event_id": "interface_details", + "id": "x-mitre-sensor-mapping--dd7f92d4-04a7-4641-9373-a35880f1d10b", + "modified": "2023-10-27T20:54:34.371116Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Network Interfaces", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.371116Z", + "id": "relationship--ce395b43-ca3b-44a6-8628-8ddb6df47f8a", + "modified": "2023-10-27T20:54:34.371116Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.371849Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Network interfaces and relevant metadata.", + "event_id": "interfaces", + "id": "x-mitre-sensor-mapping--080d2aaa-ed14-49e1-89e5-d46be3672118", + "modified": "2023-10-27T20:54:34.371849Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Network Interfaces", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.372768Z", + "id": "relationship--bf94e949-a107-4ee7-b407-897414982dd8", + "modified": "2023-10-27T20:54:34.372768Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.372768Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "IPv6 configuration and stats of network interfaces.", + "event_id": "interface_ipv6", + "id": "x-mitre-sensor-mapping--8fe4cc54-250e-4b7b-a01e-0866799a4c94", + "modified": "2023-10-27T20:54:34.372768Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Ipv6 Configuration", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.37394Z", + "id": "relationship--cb820da1-16a1-4fb9-884c-f59c0f9183c8", + "modified": "2023-10-27T20:54:34.37394Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.374917Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "OS X current WiFi status.", + "event_id": "wifi_status", + "id": "x-mitre-sensor-mapping--179dfa84-3304-4dbd-8f6d-59b4bf6ca735", + "modified": "2023-10-27T20:54:34.374917Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Wifi Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.374917Z", + "id": "relationship--7a798558-e4af-4016-a33c-744d15f740be", + "modified": "2023-10-27T20:54:34.374917Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.375972Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Processes with listening (bound) network sockets/ports.", + "event_id": "listening_ports", + "id": "x-mitre-sensor-mapping--59cbfe21-1873-47ab-b5c4-c566de9f96fc", + "modified": "2023-10-27T20:54:34.375972Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Listening Ports", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.377027Z", + "id": "relationship--477ff084-e4e3-451f-8fb9-122aeb30232c", + "modified": "2023-10-27T20:54:34.377027Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.377027Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "A table of parsed ssh_configs.", + "event_id": "ssh_configs", + "id": "x-mitre-sensor-mapping--173fdd4b-a54c-433d-9ca0-7e50fee060e9", + "modified": "2023-10-27T20:54:34.377027Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Ssh Configs", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.378113Z", + "id": "relationship--3e118ba4-34d7-4795-b6e4-97a54f5b36a0", + "modified": "2023-10-27T20:54:34.378113Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.379041Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "A line-delimited known_hosts table.", + "event_id": "known_hosts", + "id": "x-mitre-sensor-mapping--7850b5fd-5b7d-43eb-9e54-81f34572a539", + "modified": "2023-10-27T20:54:34.379041Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Hosts", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.379041Z", + "id": "relationship--eb4b6319-ca16-480a-b4ef-c03b4dd10028", + "modified": "2023-10-27T20:54:34.379041Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.679872Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "modified": "2023-10-27T20:54:33.679872Z", + "name": "Network Traffic Content", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.380112Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Track network socket opens and closes.", + "event_id": "socket_events", + "id": "x-mitre-sensor-mapping--758d4e5d-d0c9-47c9-aa68-77813ca73d4d", + "modified": "2023-10-27T20:54:34.380112Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Socket", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.380112Z", + "id": "relationship--cad226ae-cc82-4621-9162-8c7133188fdc", + "modified": "2023-10-27T20:54:34.380112Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.381381Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Track network socket opens and closes.", + "event_id": "socket_events", + "id": "x-mitre-sensor-mapping--9371b5c3-6c52-4df3-b8d8-8639af867c52", + "modified": "2023-10-27T20:54:34.381381Z", + "relationship": "Deleted", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Socket", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.382452Z", + "id": "relationship--fff2ef5a-4c35-44ca-aea9-b1fdbc6c8cb2", + "modified": "2023-10-27T20:54:34.382452Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.382452Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Track network socket opens and closes.", + "event_id": "socket_events", + "id": "x-mitre-sensor-mapping--7a8e7920-8804-482c-be04-78b265dadc91", + "modified": "2023-10-27T20:54:34.382452Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Socket", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.3835Z", + "id": "relationship--185b0aea-75e0-49f8-bb9f-c4a7547a4ec5", + "modified": "2023-10-27T20:54:34.3835Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.684869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "modified": "2023-10-27T20:54:33.684869Z", + "name": "Process Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.384139Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "macOS applications currently running on the host system.", + "event_id": "running_apps", + "id": "x-mitre-sensor-mapping--fb9f3880-323f-46e9-bdd7-f1c2cef902fc", + "modified": "2023-10-27T20:54:34.384139Z", + "relationship": "Executed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.384761Z", + "id": "relationship--261a193f-18a6-4298-85f9-c2576ac8907b", + "modified": "2023-10-27T20:54:34.384761Z", + "relationship_type": "Executed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.385844Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--c1de592f-7b86-4c7b-b2ef-03df0d9e9630", + "modified": "2023-10-27T20:54:34.385844Z", + "name": "Process Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.38676Z", + "data_component": "Process Enumeration", + "data_source": "Process", + "description": "All running processes on the host system.", + "event_id": "processes", + "id": "x-mitre-sensor-mapping--f7addd5f-c618-41a3-a06d-28ae37302f63", + "modified": "2023-10-27T20:54:34.38676Z", + "relationship": "Enumerated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.387867Z", + "id": "relationship--e3fcc4c8-c59f-4086-b077-055932a5f2f5", + "modified": "2023-10-27T20:54:34.387867Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c1de592f-7b86-4c7b-b2ef-03df0d9e9630", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.387867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "modified": "2023-10-27T20:54:34.387867Z", + "name": "Process Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.388874Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Track time/action process executions.", + "event_id": "process_events", + "id": "x-mitre-sensor-mapping--94ac5023-cb52-4b9e-8880-705d77297504", + "modified": "2023-10-27T20:54:34.388874Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.388874Z", + "id": "relationship--69805f0c-3667-4268-b9ab-0b79a9accaff", + "modified": "2023-10-27T20:54:34.388874Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.389961Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "A key/value table of environment variables for each process.", + "event_id": "process_envs", + "id": "x-mitre-sensor-mapping--e25fa79c-5d2b-49b9-a0f3-d1c38818b9bc", + "modified": "2023-10-27T20:54:34.389961Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.389961Z", + "id": "relationship--33bd8b98-51c6-413c-bc9b-d08018b0087d", + "modified": "2023-10-27T20:54:34.389961Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.391361Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Process memory mapped files and pseudo device/regions.", + "event_id": "process_memory_map", + "id": "x-mitre-sensor-mapping--f592a986-1c50-4e87-b290-ace0fc30b000", + "modified": "2023-10-27T20:54:34.391361Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.391361Z", + "id": "relationship--5ade4521-dba2-4646-94bb-65fb55e8d91d", + "modified": "2023-10-27T20:54:34.391361Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.392453Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Linux namespaces for processes running on the host system.", + "event_id": "process_namespaces", + "id": "x-mitre-sensor-mapping--4be108af-ba31-450b-a825-1808d8383a02", + "modified": "2023-10-27T20:54:34.392453Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.394656Z", + "id": "relationship--76f8fdcb-e7a0-464d-a398-14f4cea5b0f9", + "modified": "2023-10-27T20:54:34.394656Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.395659Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "File descriptors for each process.", + "event_id": "process_open_files", + "id": "x-mitre-sensor-mapping--b0afb8e4-2f88-45a6-8ecd-a6fb9026fc2d", + "modified": "2023-10-27T20:54:34.395659Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.396791Z", + "id": "relationship--73916f24-aff5-4c9c-94af-08c2b43ed869", + "modified": "2023-10-27T20:54:34.396791Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.397863Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Pipes and partner processes for each process.", + "event_id": "process_open_pipes", + "id": "x-mitre-sensor-mapping--93c9edbd-a153-47a3-9488-ec00adb86408", + "modified": "2023-10-27T20:54:34.397863Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.397863Z", + "id": "relationship--0f5b4f85-b9eb-4759-b9c0-922652ac6722", + "modified": "2023-10-27T20:54:34.397863Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.398881Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Processes which have open network sockets on the system.", + "event_id": "process_open_sockets", + "id": "x-mitre-sensor-mapping--fee82275-2487-484e-aa35-5111c73feee2", + "modified": "2023-10-27T20:54:34.398881Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.398881Z", + "id": "relationship--ffd9c925-8a74-4b78-bb43-8dbd4d7eb1ad", + "modified": "2023-10-27T20:54:34.398881Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.399986Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Background Activities Moderator (BAM) tracks application execution.", + "event_id": "background_activities_moderator", + "id": "x-mitre-sensor-mapping--687e1829-a8dc-4e54-a0c0-1698027f47d1", + "modified": "2023-10-27T20:54:34.399986Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.399986Z", + "id": "relationship--a1131966-762b-42b0-9d25-3ed71b5c9e39", + "modified": "2023-10-27T20:54:34.399986Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.401003Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "OS X package receipt details.", + "event_id": "package_receipts", + "id": "x-mitre-sensor-mapping--c8f27c02-910a-4597-9b95-aa402a1c0de7", + "modified": "2023-10-27T20:54:34.401003Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.402088Z", + "id": "relationship--85cb5276-7c70-43cb-be7c-15d258452554", + "modified": "2023-10-27T20:54:34.402088Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.402088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--86a6c50d-2905-48e2-962f-02888494902e", + "modified": "2023-10-27T20:54:34.402088Z", + "name": "Scheduled Job Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.403468Z", + "data_component": "Scheduled Job Metadata", + "data_source": "Scheduled Job", + "description": "Line parsed values from system and user cron/tab.", + "event_id": "crontab", + "id": "x-mitre-sensor-mapping--b205f9f7-75c5-4cbc-9d71-fba3d7c89c85", + "modified": "2023-10-27T20:54:34.403468Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Cron/Tab", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.403468Z", + "id": "relationship--5305f300-cec5-46b1-97c5-e086efd2dba7", + "modified": "2023-10-27T20:54:34.403468Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--86a6c50d-2905-48e2-962f-02888494902e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.404717Z", + "data_component": "Scheduled Job Metadata", + "data_source": "Scheduled Job", + "description": "LaunchAgents and LaunchDaemons from default search paths.", + "event_id": "launchd", + "id": "x-mitre-sensor-mapping--3b15ac88-a1f8-4eb3-99b7-846497e9e2a2", + "modified": "2023-10-27T20:54:34.404717Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Launchd", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.404717Z", + "id": "relationship--90b00aaf-7389-482b-98e4-7882b10a2c60", + "modified": "2023-10-27T20:54:34.404717Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--86a6c50d-2905-48e2-962f-02888494902e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.4058Z", + "data_component": "Scheduled Job Metadata", + "data_source": "Scheduled Job", + "description": "Override keys, per user, for LaunchDaemons and Agents.", + "event_id": "launchd_overrides", + "id": "x-mitre-sensor-mapping--3c985d7c-24ff-448c-8f66-9f32d275b1fe", + "modified": "2023-10-27T20:54:34.4058Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Launchd", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.4058Z", + "id": "relationship--b58e094b-0eda-4043-a497-c7ac52086f5f", + "modified": "2023-10-27T20:54:34.4058Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--86a6c50d-2905-48e2-962f-02888494902e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.406838Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-source--e7451f92-3a8a-4d49-b401-b97d0c2fed58", + "modified": "2023-10-27T20:54:34.406838Z", + "name": "Scheduled Task", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-source", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.407826Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6e3ce423-8db0-4834-97b9-8ff190f2f15d", + "modified": "2023-10-27T20:54:34.407826Z", + "name": "Scheduled Task Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e7451f92-3a8a-4d49-b401-b97d0c2fed58", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.407826Z", + "data_component": "Scheduled Task Enumeration", + "data_source": "Scheduled Task", + "description": "Lists all of the tasks in the Windows task scheduler.", + "event_id": "scheduled_tasks", + "id": "x-mitre-sensor-mapping--fc159f5a-3151-4a40-9eba-518ab1cd5c17", + "modified": "2023-10-27T20:54:34.407826Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Scheduled Tasks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:34.408924Z", + "id": "relationship--22f4b8ae-153f-420b-9f77-8598acfb580a", + "modified": "2023-10-27T20:54:34.408924Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--e7451f92-3a8a-4d49-b401-b97d0c2fed58", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6e3ce423-8db0-4834-97b9-8ff190f2f15d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.41011Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--addbbfdc-b803-4934-a50a-f1dca0787274", + "modified": "2023-10-27T20:54:34.41011Z", + "name": "Script Execution", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.411109Z", + "data_component": "Script Execution", + "data_source": "Script", + "description": "Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.", + "event_id": "powershell_events", + "id": "x-mitre-sensor-mapping--59a64c07-8840-4839-bf8a-aa974b53ad49", + "modified": "2023-10-27T20:54:34.411109Z", + "relationship": "Recorded", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Script Execution", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0012" + }, + { + "created": "2023-10-27T20:54:34.411109Z", + "id": "relationship--905cb016-93db-4836-ad4c-22ecb2e7f5ee", + "modified": "2023-10-27T20:54:34.411109Z", + "relationship_type": "Recorded", + "revoked": false, + "source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--addbbfdc-b803-4934-a50a-f1dca0787274", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.412139Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fb908e6d-dcd4-446b-aac3-6b9dc4d4b8c3", + "modified": "2023-10-27T20:54:34.412139Z", + "name": "Service Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.413143Z", + "data_component": "Service Enumeration", + "data_source": "Service", + "description": "Lists all installed Windows services and their relevant data.", + "event_id": "services", + "id": "x-mitre-sensor-mapping--c72d5f76-105d-4d9a-bedb-bf5883d63848", + "modified": "2023-10-27T20:54:34.413143Z", + "relationship": "Read", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Services", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.413143Z", + "id": "relationship--b7d02d76-fb1a-43ab-84c2-9f2a2996b640", + "modified": "2023-10-27T20:54:34.413143Z", + "relationship_type": "Read", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fb908e6d-dcd4-446b-aac3-6b9dc4d4b8c3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.69607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "modified": "2023-10-27T20:54:33.69607Z", + "name": "Service Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.414183Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Gatekeeper apps a user has allowed to run.", + "event_id": "gatekeeper_apps", + "id": "x-mitre-sensor-mapping--8455741c-b037-44c7-8e4e-a277d461e8ca", + "modified": "2023-10-27T20:54:34.414183Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Gatekeeper", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.415173Z", + "id": "relationship--816e4b5a-4e57-4015-883a-3ca7bd730836", + "modified": "2023-10-27T20:54:34.415173Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.416222Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "OS X Gatekeeper Details.", + "event_id": "gatekeeper", + "id": "x-mitre-sensor-mapping--ec205b11-59ff-4dfe-822a-a34ff1312056", + "modified": "2023-10-27T20:54:34.416222Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Gatekeeper", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.416222Z", + "id": "relationship--e77b06f5-2917-4af7-9833-4b015705e27b", + "modified": "2023-10-27T20:54:34.416222Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.417202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-source--4b7a5400-6819-4d59-8535-aa8fb0b8b043", + "modified": "2023-10-27T20:54:34.417202Z", + "name": "User Interface", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-source", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.417202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e2bbc307-056e-4d0b-9526-ac283d4e1585", + "modified": "2023-10-27T20:54:34.417202Z", + "name": "System Settings", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4b7a5400-6819-4d59-8535-aa8fb0b8b043", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.418226Z", + "data_component": "System Settings", + "data_source": "User Interface", + "description": "macOS screenlock status for the current logged in user context.", + "event_id": "screenlock", + "id": "x-mitre-sensor-mapping--bdce6757-1935-4a87-a846-efb1cb736e9f", + "modified": "2023-10-27T20:54:34.418226Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "System Settings", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:34.419233Z", + "id": "relationship--2b60cc43-2348-4b4f-aca1-7a452ee10446", + "modified": "2023-10-27T20:54:34.419233Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4b7a5400-6819-4d59-8535-aa8fb0b8b043", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e2bbc307-056e-4d0b-9526-ac283d4e1585", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.72287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "modified": "2023-10-27T20:54:33.72287Z", + "name": "User Account Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.419233Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Local user accounts (including domain accounts that have logged on locally (Windows)).", + "event_id": "users", + "id": "x-mitre-sensor-mapping--3f03f91f-0a0f-4a34-a981-5d7d8b8db920", + "modified": "2023-10-27T20:54:34.419233Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Users", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.420259Z", + "id": "relationship--4b8149ea-f66f-49f8-8bc1-d71bef1e6c61", + "modified": "2023-10-27T20:54:34.420259Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.726922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "modified": "2023-10-27T20:54:33.726922Z", + "name": "User Account Authentication", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.421263Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Track user events from the audit framework.", + "event_id": "user_events", + "id": "x-mitre-sensor-mapping--b2ff00ac-d066-4ce7-8528-e33841cb7ca0", + "modified": "2023-10-27T20:54:34.421263Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Authentication", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.421263Z", + "id": "relationship--dd9f6284-554c-49be-8958-5fde26c8dab3", + "modified": "2023-10-27T20:54:34.421263Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.757924Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "modified": "2023-10-27T20:54:33.757924Z", + "name": "User Account Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.42229Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A line-delimited authorized_keys table", + "event_id": "authorized_keys", + "id": "x-mitre-sensor-mapping--11746483-f6d0-49dc-9b4a-07f194b80f6a", + "modified": "2023-10-27T20:54:34.42229Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account Keys", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.423297Z", + "id": "relationship--e660f56a-8ca5-4510-ba2e-2ea69fd4bad7", + "modified": "2023-10-27T20:54:34.423297Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.423297Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "OS X Authorization rights database.", + "event_id": "authorizations", + "id": "x-mitre-sensor-mapping--0f4a7109-d243-4b4b-a4e0-8ff097ad8bc3", + "modified": "2023-10-27T20:54:34.423297Z", + "relationship": "Authorizes", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.424891Z", + "id": "relationship--5390a042-bbd4-4cd7-a65d-dfbb63e11e9d", + "modified": "2023-10-27T20:54:34.424891Z", + "relationship_type": "Authorizes", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.426798Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Additional OS X user account data from the AccountPolicy section of OpenDirectory.", + "event_id": "account_policy_data", + "id": "x-mitre-sensor-mapping--02c09e65-2fe3-4b65-bbdf-88ab9dd37e1c", + "modified": "2023-10-27T20:54:34.426798Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.426798Z", + "id": "relationship--39d8662c-df3c-4e04-a0a7-9e86e6883982", + "modified": "2023-10-27T20:54:34.426798Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.427942Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`.", + "event_id": "shadow", + "id": "x-mitre-sensor-mapping--b9fa8afc-3248-439c-a944-f6a41ace142f", + "modified": "2023-10-27T20:54:34.427942Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.428926Z", + "id": "relationship--ff038a72-8ab1-4685-82ac-ee48a4d82326", + "modified": "2023-10-27T20:54:34.428926Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.428926Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.", + "event_id": "user_ssh_keys", + "id": "x-mitre-sensor-mapping--d8871ace-f68d-4e15-8668-2b7465456543", + "modified": "2023-10-27T20:54:34.428926Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "User Account Private Keys", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.430042Z", + "id": "relationship--91531dbd-49e7-423b-bd20-4610d49ab3c1", + "modified": "2023-10-27T20:54:34.430042Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.430042Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "modified": "2023-10-27T20:54:34.430042Z", + "name": "Windows Registry Key Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.431115Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.", + "event_id": "appcompat_shims", + "id": "x-mitre-sensor-mapping--d495bd8e-5039-4f70-9038-a51bfa9716cf", + "modified": "2023-10-27T20:54:34.431115Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.432209Z", + "id": "relationship--896723ee-59ad-4896-a3f8-8f1efb000525", + "modified": "2023-10-27T20:54:34.432209Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.432209Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "All of the Windows registry hives.", + "event_id": "registry", + "id": "x-mitre-sensor-mapping--796e8a42-6073-4119-8983-f51ecfd769c9", + "modified": "2023-10-27T20:54:34.432209Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Registry Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.433271Z", + "id": "relationship--35a76ac6-d25d-4613-8b02-dfa880a9011d", + "modified": "2023-10-27T20:54:34.433271Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.434318Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "UserAssist Registry Key tracks when a user executes an application from Windows Explorer.", + "event_id": "userassist", + "id": "x-mitre-sensor-mapping--d9c07ea2-8957-4d5c-a1f6-de6edbc63f9b", + "modified": "2023-10-27T20:54:34.434318Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "User Assist", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.434318Z", + "id": "relationship--ab5b1518-6bd2-4c44-9d0a-ee8342dd5f6e", + "modified": "2023-10-27T20:54:34.434318Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.435309Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.", + "event_id": "autoexec", + "id": "x-mitre-sensor-mapping--37f20dcf-0538-4ab4-a7b3-6eecad1fb401", + "modified": "2023-10-27T20:54:34.435309Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.436351Z", + "id": "relationship--abd8b73b-7eea-44f6-a51e-707e1647a7fd", + "modified": "2023-10-27T20:54:34.436351Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.436351Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "Applications and binaries set as user/login startup items.", + "event_id": "startup_items", + "id": "x-mitre-sensor-mapping--6a84d836-3a37-47b7-8b53-fe82f221ab62", + "modified": "2023-10-27T20:54:34.436351Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Registry Keys", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.437411Z", + "id": "relationship--0a315000-e559-4657-9794-213f0284092f", + "modified": "2023-10-27T20:54:34.437411Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.437411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "modified": "2023-10-27T20:54:34.437411Z", + "name": "WMI Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.438487Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.", + "event_id": "wmi_cli_event_consumers", + "id": "x-mitre-sensor-mapping--f011ad18-a624-460e-b2f6-dd310538d382", + "modified": "2023-10-27T20:54:34.438487Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "WMI", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.439507Z", + "id": "relationship--018dc3a0-0c36-437e-bd0e-f531dd90f2a2", + "modified": "2023-10-27T20:54:34.439507Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.439507Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.", + "event_id": "wmi_script_event_consumers", + "id": "x-mitre-sensor-mapping--feb6947b-53f4-4c2f-8556-65c5dd11fed2", + "modified": "2023-10-27T20:54:34.439507Z", + "relationship": "Modified", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "WMI", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.440617Z", + "id": "relationship--aeee98ef-7edc-4d54-9d22-a665769e8575", + "modified": "2023-10-27T20:54:34.440617Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.44182Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3a1759fa-96eb-445f-8bb8-955a581be27b", + "modified": "2023-10-27T20:54:34.44182Z", + "name": "WMI Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.442834Z", + "data_component": "WMI Enumeration", + "data_source": "WMI", + "description": "Lists the relationship between event consumers and filters.", + "event_id": "wmi_filter_consumer_binding", + "id": "x-mitre-sensor-mapping--2dc85e75-be65-4f1c-83c8-0f93bdcfdeac", + "modified": "2023-10-27T20:54:34.442834Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "WMI", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.443863Z", + "id": "relationship--cc86eb67-59b2-4593-bfcd-602cf748e247", + "modified": "2023-10-27T20:54:34.443863Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3a1759fa-96eb-445f-8bb8-955a581be27b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.444906Z", + "data_component": "WMI Enumeration", + "data_source": "WMI", + "description": "Lists WMI event filters.", + "event_id": "wmi_event_filters", + "id": "x-mitre-sensor-mapping--75f71788-939e-4ee4-b379-2ed47713f835", + "modified": "2023-10-27T20:54:34.444906Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "WMI Event Filter", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.444906Z", + "id": "relationship--947b0170-a3ee-4837-b7c9-8c9660dad6a9", + "modified": "2023-10-27T20:54:34.444906Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3a1759fa-96eb-445f-8bb8-955a581be27b", + "type": "relationship" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/mappings/stix/enterprise/Reference-for-mappings-enterprise.json b/mappings/stix/enterprise/Reference-for-mappings-enterprise.json new file mode 100644 index 0000000..27006c0 --- /dev/null +++ b/mappings/stix/enterprise/Reference-for-mappings-enterprise.json @@ -0,0 +1,17738 @@ +{ + "id": "bundle--486f4f36-f67a-4ee2-b72b-fc976c6120a5", + "objects": [ + { + "created": "2023-10-27T20:54:33.647867Z", + "id": "relationship--613e89e1-f329-4fff-a4cb-28008cdc7abb", + "modified": "2023-10-27T20:54:33.647867Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--206469c7-f0a2-4e86-a373-a455b845e1e5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "id": "relationship--22c6533d-bfb4-4690-a907-025253a95415", + "modified": "2023-10-27T20:54:33.648869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.649873Z", + "id": "relationship--04d86f99-222f-483e-8d88-977912823b1d", + "modified": "2023-10-27T20:54:33.649873Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "id": "relationship--c6df6dd4-76fc-4505-becd-1f01da9971bf", + "modified": "2023-10-27T20:54:33.65187Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65387Z", + "id": "relationship--bfb4be25-db76-4020-a12d-3fc53542f029", + "modified": "2023-10-27T20:54:33.65387Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.656868Z", + "id": "relationship--93e71d50-fe4e-4dc5-be54-9cf3536f5cde", + "modified": "2023-10-27T20:54:33.656868Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.662867Z", + "id": "relationship--cc530c1a-227e-4d32-b62a-c21e21bd42eb", + "modified": "2023-10-27T20:54:33.662867Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.664867Z", + "id": "relationship--5a29e8d6-8ab4-437c-a2e8-1d380bb980c8", + "modified": "2023-10-27T20:54:33.664867Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.666871Z", + "id": "relationship--23d92a9c-0747-42c2-b880-202bdc14af2b", + "modified": "2023-10-27T20:54:33.666871Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.66787Z", + "id": "relationship--782e3a77-4312-43cc-a1a0-8c488f8b3cff", + "modified": "2023-10-27T20:54:33.66787Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.669869Z", + "id": "relationship--d80a5cbe-27e1-4d89-8932-6eb539940465", + "modified": "2023-10-27T20:54:33.669869Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.674871Z", + "id": "relationship--82380120-c2df-409c-b329-72155ddbe61f", + "modified": "2023-10-27T20:54:33.674871Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.681873Z", + "id": "relationship--212bd8e2-21ca-49e8-be53-6cde054ccd44", + "modified": "2023-10-27T20:54:33.681873Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.68387Z", + "id": "relationship--5bb3a6dc-8f7a-4ab2-bd28-20fbd8b14f77", + "modified": "2023-10-27T20:54:33.68387Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.686871Z", + "id": "relationship--e880376a-863c-426c-bb8e-22c7b5e5adea", + "modified": "2023-10-27T20:54:33.686871Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.689873Z", + "id": "relationship--0b534afa-9c3d-41cc-a190-a74eb12679fc", + "modified": "2023-10-27T20:54:33.689873Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--52a9b19a-9dcc-4eef-aff3-58d3e4523ceb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.691869Z", + "id": "relationship--81934ace-c6d1-4640-b594-7d0cf7b3c13e", + "modified": "2023-10-27T20:54:33.691869Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--97e54b9b-0b7f-4b98-8672-e06e407c0b48", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.694868Z", + "id": "relationship--f35459d5-c903-4e74-b21f-d0d6029f8097", + "modified": "2023-10-27T20:54:33.694868Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e35fe7ee-5a6d-47c5-9505-7faed979e3d5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.696866Z", + "id": "relationship--b3408fe0-c873-4cc9-b31c-b1124e960922", + "modified": "2023-10-27T20:54:33.696866Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.702865Z", + "id": "relationship--512acc17-5965-4666-9bd0-3635618cc5b8", + "modified": "2023-10-27T20:54:33.702865Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.723933Z", + "id": "relationship--1714a2bc-56ee-49e2-9590-3722ee5fbc7b", + "modified": "2023-10-27T20:54:33.723933Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.727922Z", + "id": "relationship--fe185402-81af-499f-ab84-be6b6260a31f", + "modified": "2023-10-27T20:54:33.727922Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.740927Z", + "id": "relationship--b54c92e4-7020-490d-a1d9-10fd27f89cd0", + "modified": "2023-10-27T20:54:33.740927Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.744926Z", + "id": "relationship--6c5a7403-b848-4ec7-ab57-96558fce0169", + "modified": "2023-10-27T20:54:33.744926Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.758937Z", + "id": "relationship--1d05c7e8-76e2-49bf-aeb9-370756ef1c7d", + "modified": "2023-10-27T20:54:33.758937Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.763935Z", + "id": "relationship--b26d03b6-1eff-4d29-ae05-4e01f20fa5e6", + "modified": "2023-10-27T20:54:33.763935Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.864987Z", + "id": "relationship--20e2290f-ea1e-47e7-9396-d17d30cc26d2", + "modified": "2023-10-27T20:54:33.864987Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.867987Z", + "id": "relationship--94613969-123e-430a-9ea9-68382bfdbae0", + "modified": "2023-10-27T20:54:33.867987Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e9adf20c-691f-488b-8c41-8c460a33c80e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.869986Z", + "id": "relationship--eb0d2f82-80b9-466b-81d7-5bd4588ced2f", + "modified": "2023-10-27T20:54:33.869986Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2a0b2a05-c2e4-4fd4-968f-1d4dc130aa20", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.873993Z", + "id": "relationship--1422107c-fd1a-4bbd-9579-e257ce999f53", + "modified": "2023-10-27T20:54:33.873993Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ac7a968c-ff19-425c-b2f4-919f0498b487", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.882988Z", + "id": "relationship--368b98fc-e61f-46a0-b212-08d328788d60", + "modified": "2023-10-27T20:54:33.882988Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0238a154-faee-449c-b81c-8e99c6222642", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.884987Z", + "id": "relationship--4737b660-bef5-4e13-9903-75a5bb925dd8", + "modified": "2023-10-27T20:54:33.884987Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.901998Z", + "id": "relationship--a718512f-3b75-4855-a505-944fb4aa35f6", + "modified": "2023-10-27T20:54:33.901998Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--4899428d-5728-4dfc-8fa9-ad44ef2728c4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.902991Z", + "id": "relationship--43dd2e64-f621-416d-8543-25efdf27cd69", + "modified": "2023-10-27T20:54:33.902991Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2fda5c2d-3355-4ee3-b4e5-bd46c225ba36", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.903988Z", + "id": "relationship--90edf34b-c3e7-4645-a19a-234a687cd5dc", + "modified": "2023-10-27T20:54:33.903988Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--37025b73-555a-4193-8308-66f0ae19e346", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.907088Z", + "id": "relationship--2f4bc47f-410b-4441-8cf9-3816273f397f", + "modified": "2023-10-27T20:54:33.907088Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2ffc76e9-adc4-4be7-a8b3-42a384a7f045", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.911985Z", + "id": "relationship--9c78ad5f-a24e-4be0-ab9b-f7c6febf7703", + "modified": "2023-10-27T20:54:33.911985Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--20829e89-bfc7-42b5-865a-8ab293f336f2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.913998Z", + "id": "relationship--c303a0f6-a6b9-488e-bd49-bac283ea602c", + "modified": "2023-10-27T20:54:33.913998Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fa47a8fd-06bc-401f-afcd-3c2bfd2981e3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.918998Z", + "id": "relationship--49ef0ee9-50f5-48ef-9e51-cedeb9362626", + "modified": "2023-10-27T20:54:33.918998Z", + "relationship_type": "Disabled", + "revoked": false, + "source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d8e74209-5fde-4d9b-9219-a9659aa4ad58", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.920998Z", + "id": "relationship--d5b266d2-b3c1-4bfc-a3d2-35911c0399e6", + "modified": "2023-10-27T20:54:33.920998Z", + "relationship_type": "Enumerate", + "revoked": false, + "source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a6d9134e-e0bc-4412-9c2f-3738c1d3970d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.921985Z", + "id": "relationship--2f9c65cf-9022-458b-b97f-fb696f3e57f0", + "modified": "2023-10-27T20:54:33.921985Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d4200521-f4c9-4f54-a730-224247675d3e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.92806Z", + "id": "relationship--b7740e38-a533-45bc-b309-4309440a2af9", + "modified": "2023-10-27T20:54:33.92806Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.932061Z", + "id": "relationship--64a6eb51-6482-49e5-8927-8fa051a04b4b", + "modified": "2023-10-27T20:54:33.932061Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.942064Z", + "id": "relationship--f77c0889-5a42-4986-b14f-7a1aaebc398a", + "modified": "2023-10-27T20:54:33.942064Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.948128Z", + "id": "relationship--b88f249f-9b1c-414c-a8d2-4023f70cab61", + "modified": "2023-10-27T20:54:33.948128Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9e1ca964-bfba-4c03-aae8-b7914a9e3a97", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.950131Z", + "id": "relationship--db05f79d-a271-4ea5-83ee-ccafc7ac122c", + "modified": "2023-10-27T20:54:33.950131Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2fd7e00a-f33a-4ae8-bf98-d75aec1b1b75", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.952138Z", + "id": "relationship--52162e3b-04f8-4c77-a645-690f23661c7b", + "modified": "2023-10-27T20:54:33.952138Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.968128Z", + "id": "relationship--dbeacd2e-b965-4d61-afb1-feb5ef925350", + "modified": "2023-10-27T20:54:33.968128Z", + "relationship_type": "Creates", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3ee04f41-a5f8-4a78-a738-8876217101bf", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.970128Z", + "id": "relationship--80893936-0321-4761-aafe-449e61198973", + "modified": "2023-10-27T20:54:33.970128Z", + "relationship_type": "Stopped", + "revoked": false, + "source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c893f813-bc12-4bad-935a-baa01bf797b4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.976135Z", + "id": "relationship--93c5c405-fb07-4649-953b-01b496423ffc", + "modified": "2023-10-27T20:54:33.976135Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c409d14-271d-4c75-b1f0-2be860c252f7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.979145Z", + "id": "relationship--7c949ca9-e2b4-4990-b988-704bf1918745", + "modified": "2023-10-27T20:54:33.979145Z", + "relationship_type": "Delete", + "revoked": false, + "source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e2b8730b-ffe0-4033-a424-c70fced54b0b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.982133Z", + "id": "relationship--d889953e-9ab6-4a99-b078-bb44ded20c97", + "modified": "2023-10-27T20:54:33.982133Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ab0cc187-152c-4ce7-ab29-8ab97bafd3a3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.012131Z", + "id": "relationship--983ee6ad-feaa-485d-b525-c7ec7b903747", + "modified": "2023-10-27T20:54:34.012131Z", + "relationship_type": "Enumerates", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.138014Z", + "id": "relationship--ae805209-1e8f-448f-8017-79906fb82049", + "modified": "2023-10-27T20:54:34.138014Z", + "relationship_type": "Create", + "revoked": false, + "source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--755e42e8-1960-47d4-87b6-d5f485b98610", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.138945Z", + "id": "relationship--8957fcd2-d76e-4b8e-bd09-f5aea003a253", + "modified": "2023-10-27T20:54:34.138945Z", + "relationship_type": "Modification", + "revoked": false, + "source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d241a43a-9ff3-4d76-b5f4-9992dbf6fba9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.173926Z", + "id": "relationship--93a26cdb-ad3c-49f5-9d82-d5aef168a7fd", + "modified": "2023-10-27T20:54:34.173926Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--858b1589-f9ad-482f-9c34-6fa2cddc5a76", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.176931Z", + "id": "relationship--99ec5b44-29c0-4856-bc37-1cba3d4786f7", + "modified": "2023-10-27T20:54:34.176931Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.186928Z", + "id": "relationship--df2de055-69fe-45e7-ab2e-e2de37bdd34c", + "modified": "2023-10-27T20:54:34.186928Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--7f894f0a-ff30-49dd-ae5d-0c203c3d7900", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.187927Z", + "id": "relationship--c033d412-d22e-4960-8928-483ee0d75d58", + "modified": "2023-10-27T20:54:34.187927Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ca94bc9d-801f-4522-85dd-240c26bb2401", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.189927Z", + "id": "relationship--b9b3af6c-4492-4100-9946-ceb8a6e8f748", + "modified": "2023-10-27T20:54:34.189927Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.197191Z", + "id": "relationship--456427f3-bdfa-4bba-895c-9817a759d254", + "modified": "2023-10-27T20:54:34.197191Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--806c044c-2cb9-49c6-893e-30675b5e4679", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.199181Z", + "id": "relationship--5feffebe-6d6d-445a-b96a-bf21994a04d6", + "modified": "2023-10-27T20:54:34.199181Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2b1eaec6-4e5f-4ced-ac83-48afe7e24380", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.20018Z", + "id": "relationship--446390eb-f066-4adf-95e1-9d46ecffac59", + "modified": "2023-10-27T20:54:34.20018Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2b1eaec6-4e5f-4ced-ac83-48afe7e24380", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.202198Z", + "id": "relationship--65f507a1-0607-4f88-8fb4-63f38e850097", + "modified": "2023-10-27T20:54:34.202198Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--802a661b-37ca-4cd3-94b1-1f20cbd62a98", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.209297Z", + "id": "relationship--7c839671-9e02-4356-b9bd-d2482d06d2dd", + "modified": "2023-10-27T20:54:34.209297Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.234717Z", + "id": "relationship--13ea2e54-2345-4a23-be2f-327101dbe49e", + "modified": "2023-10-27T20:54:34.234717Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2cbe4fb0-daf8-46db-9af6-9b43dd48284f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.2373Z", + "id": "relationship--d624a044-71fa-40e4-ac13-f384499b4b8e", + "modified": "2023-10-27T20:54:34.2373Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.239418Z", + "id": "relationship--dd2f27a6-0b55-41d2-be68-976a77592532", + "modified": "2023-10-27T20:54:34.239418Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.33057Z", + "id": "relationship--1da6954f-7c83-41f0-b4c8-85793def1e54", + "modified": "2023-10-27T20:54:34.33057Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--eb6317db-f95f-4132-a7dc-48f331591b13", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.331569Z", + "id": "relationship--7194059d-a19d-4f4a-9218-3cebcd30dec8", + "modified": "2023-10-27T20:54:34.331569Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.344673Z", + "id": "relationship--dabf4324-5af3-4b1d-9671-49421184a5d1", + "modified": "2023-10-27T20:54:34.344673Z", + "relationship_type": "Loaded", + "revoked": false, + "source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9e564c43-b8f9-44f9-b2a8-7b525590733e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.351751Z", + "id": "relationship--64a566a1-25d9-4c98-ba2a-01263804b42a", + "modified": "2023-10-27T20:54:34.351751Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--76030842-1fa0-431f-b821-0d683b3946ab", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.353747Z", + "id": "relationship--13e24f63-22ee-4da3-8c55-2fdcdc752c5a", + "modified": "2023-10-27T20:54:34.353747Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.360774Z", + "id": "relationship--18cb2878-9643-45ea-8dcf-71d71a575513", + "modified": "2023-10-27T20:54:34.360774Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.387867Z", + "id": "relationship--e3fcc4c8-c59f-4086-b077-055932a5f2f5", + "modified": "2023-10-27T20:54:34.387867Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c1de592f-7b86-4c7b-b2ef-03df0d9e9630", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.388874Z", + "id": "relationship--69805f0c-3667-4268-b9ab-0b79a9accaff", + "modified": "2023-10-27T20:54:34.388874Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.403468Z", + "id": "relationship--5305f300-cec5-46b1-97c5-e086efd2dba7", + "modified": "2023-10-27T20:54:34.403468Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--86a6c50d-2905-48e2-962f-02888494902e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.408924Z", + "id": "relationship--22f4b8ae-153f-420b-9f77-8598acfb580a", + "modified": "2023-10-27T20:54:34.408924Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--e7451f92-3a8a-4d49-b401-b97d0c2fed58", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6e3ce423-8db0-4834-97b9-8ff190f2f15d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.411109Z", + "id": "relationship--905cb016-93db-4836-ad4c-22ecb2e7f5ee", + "modified": "2023-10-27T20:54:34.411109Z", + "relationship_type": "Recorded", + "revoked": false, + "source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--addbbfdc-b803-4934-a50a-f1dca0787274", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.413143Z", + "id": "relationship--b7d02d76-fb1a-43ab-84c2-9f2a2996b640", + "modified": "2023-10-27T20:54:34.413143Z", + "relationship_type": "Read", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fb908e6d-dcd4-446b-aac3-6b9dc4d4b8c3", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.419233Z", + "id": "relationship--2b60cc43-2348-4b4f-aca1-7a452ee10446", + "modified": "2023-10-27T20:54:34.419233Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--4b7a5400-6819-4d59-8535-aa8fb0b8b043", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e2bbc307-056e-4d0b-9526-ac283d4e1585", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.432209Z", + "id": "relationship--896723ee-59ad-4896-a3f8-8f1efb000525", + "modified": "2023-10-27T20:54:34.432209Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.439507Z", + "id": "relationship--018dc3a0-0c36-437e-bd0e-f531dd90f2a2", + "modified": "2023-10-27T20:54:34.439507Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.443863Z", + "id": "relationship--cc86eb67-59b2-4593-bfcd-602cf748e247", + "modified": "2023-10-27T20:54:34.443863Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3a1759fa-96eb-445f-8bb8-955a581be27b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.463633Z", + "id": "relationship--44b556e3-bc8a-4120-9767-0f50e1771e61", + "modified": "2023-10-27T20:54:34.463633Z", + "relationship_type": "Loaded", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0f563052-0cbb-4d8e-a260-ea15a5553dd5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.471995Z", + "id": "relationship--546c2799-d97c-44f9-8621-d746cb87ba23", + "modified": "2023-10-27T20:54:34.471995Z", + "relationship_type": "Loaded", + "revoked": false, + "source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--bc66dfbd-3982-4bea-81f8-015503e08c50", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.472998Z", + "id": "relationship--bb2dd6a5-ac57-46b4-91ca-0a6755555406", + "modified": "2023-10-27T20:54:34.472998Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--38ebff0a-95bb-4c81-8c69-006e185123f2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.475103Z", + "id": "relationship--dacb4f81-5178-4ce9-85ca-1a8304a9354c", + "modified": "2023-10-27T20:54:34.475103Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.479323Z", + "id": "relationship--6279c1cf-ceca-4849-9bbc-2c4f2b1388aa", + "modified": "2023-10-27T20:54:34.479323Z", + "relationship_type": "Connected To/From", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.485962Z", + "id": "relationship--d87bbb9f-1b8f-4d2c-bd5d-cc0d86ccaed0", + "modified": "2023-10-27T20:54:34.485962Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--62941e03-da2b-467b-96b7-b8ef6d6c8fbc", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.491088Z", + "id": "relationship--56d1864d-eb29-4b62-bc6f-6708324f3f15", + "modified": "2023-10-27T20:54:34.491088Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--7fa1ea2a-ef03-4797-b4da-ded7431b03a6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.492083Z", + "id": "relationship--f2ca22e3-84eb-4475-ab31-ca12fc47ebd0", + "modified": "2023-10-27T20:54:34.492083Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--bd62e695-7bf5-4d81-880b-c63f30635156", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.494082Z", + "id": "relationship--0025910a-1011-4759-82e2-113fc221ca37", + "modified": "2023-10-27T20:54:34.494082Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f23ad5d9-1cb0-41a0-bfb8-fcda53887dfc", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.499491Z", + "id": "relationship--bfa6b0c0-45d5-4f91-b2a5-5c9fda9eb75f", + "modified": "2023-10-27T20:54:34.499491Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0e70fe01-fbc7-4e0a-b9ca-0204cb085952", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.527185Z", + "id": "relationship--50cc2496-7975-4146-bd53-1672108dc274", + "modified": "2023-10-27T20:54:34.527185Z", + "relationship_type": "Requested", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--41fcc984-6e02-467d-b6df-5e8c03d593ca", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.562137Z", + "id": "relationship--f6d9cdee-949d-4dca-83f4-7fe950bcf805", + "modified": "2023-10-27T20:54:34.562137Z", + "relationship_type": "Disabled", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--52ee3a9f-5707-4e94-a6cd-b6bbe9969e96", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.565253Z", + "id": "relationship--acbb99d7-df2a-4601-8b87-a739981429f8", + "modified": "2023-10-27T20:54:34.565253Z", + "relationship_type": "Enabled", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--bca991d1-d6c6-4580-9657-6fc479fa3810", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.649545Z", + "id": "relationship--f81b3b76-bca9-4b4b-9140-915d07406a7a", + "modified": "2023-10-27T20:54:34.649545Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a2c52e19-78f1-4183-b738-a9c311801e2a", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.651541Z", + "id": "relationship--74b4be23-321e-4d46-ac9b-abf4c1ce6918", + "modified": "2023-10-27T20:54:34.651541Z", + "relationship_type": "Disconnected Fom", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2f3228ee-695d-476c-aa4e-4bd76b759b51", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.679093Z", + "id": "relationship--da477ecc-bf0e-4248-a77e-9713d711975c", + "modified": "2023-10-27T20:54:34.679093Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--37538723-57a7-47eb-a6be-fc5116c2383b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.681094Z", + "id": "relationship--8cdb0f55-c5fe-4bbe-a7f3-6315a0f258a0", + "modified": "2023-10-27T20:54:34.681094Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2c0938b4-a521-424e-a923-a6c629a3fd06", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.683107Z", + "id": "relationship--9d4341f7-8350-466a-b9b4-3b7a3fe2f412", + "modified": "2023-10-27T20:54:34.683107Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--49259d6f-96c8-43d0-ab15-af6024b48086", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.692641Z", + "id": "relationship--d32b02c1-855c-4b73-90a8-327692b988cd", + "modified": "2023-10-27T20:54:34.692641Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--de9af4b8-5e67-4b8b-bc53-89a130ae71f0", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.69464Z", + "id": "relationship--704267da-0794-4660-9c69-e8fafcacf8ec", + "modified": "2023-10-27T20:54:34.69464Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a7d0f588-a51d-40d4-9dc8-22a2500e4709", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.696656Z", + "id": "relationship--3b2298f2-ee9f-47af-bb72-c5a8d3f36a73", + "modified": "2023-10-27T20:54:34.696656Z", + "relationship_type": "Enabled", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--51be98e7-45b6-40cb-86d3-0daf71ebad7e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.827689Z", + "id": "relationship--44e9f7f9-3dda-49de-a437-4f50d7191577", + "modified": "2023-10-27T20:54:34.827689Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.646871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--206469c7-f0a2-4e86-a373-a455b845e1e5", + "modified": "2023-10-27T20:54:33.646871Z", + "name": "Command Execution", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.647867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "modified": "2023-10-27T20:54:33.647867Z", + "name": "Drive Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "modified": "2023-10-27T20:54:33.648869Z", + "name": "File Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "modified": "2023-10-27T20:54:33.65187Z", + "name": "File Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.65287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "modified": "2023-10-27T20:54:33.65287Z", + "name": "File Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.655922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "modified": "2023-10-27T20:54:33.655922Z", + "name": "File Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.660871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "modified": "2023-10-27T20:54:33.660871Z", + "name": "Firewall Rule Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.662867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "modified": "2023-10-27T20:54:33.662867Z", + "name": "Group Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.664867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "modified": "2023-10-27T20:54:33.664867Z", + "name": "Group Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.666871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "modified": "2023-10-27T20:54:33.666871Z", + "name": "Host Status", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.668869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "modified": "2023-10-27T20:54:33.668869Z", + "name": "Logon Session Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.672871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "modified": "2023-10-27T20:54:33.672871Z", + "name": "Logon Session Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.679872Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "modified": "2023-10-27T20:54:33.679872Z", + "name": "Network Traffic Content", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.681873Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "modified": "2023-10-27T20:54:33.681873Z", + "name": "Process Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.684869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "modified": "2023-10-27T20:54:33.684869Z", + "name": "Process Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.687867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--52a9b19a-9dcc-4eef-aff3-58d3e4523ceb", + "modified": "2023-10-27T20:54:33.687867Z", + "name": "Process Termination", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.690869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--97e54b9b-0b7f-4b98-8672-e06e407c0b48", + "modified": "2023-10-27T20:54:33.690869Z", + "name": "Service Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.692869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e35fe7ee-5a6d-47c5-9505-7faed979e3d5", + "modified": "2023-10-27T20:54:33.692869Z", + "name": "Service Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.69607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "modified": "2023-10-27T20:54:33.69607Z", + "name": "Service Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.701867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--eeedde05-9b91-4a39-a286-62a02fda4559", + "modified": "2023-10-27T20:54:33.701867Z", + "name": "Service Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.72287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--945e21f3-1b12-43d1-9996-3654b2eb9f34", + "modified": "2023-10-27T20:54:33.72287Z", + "name": "User Account Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.726922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "modified": "2023-10-27T20:54:33.726922Z", + "name": "User Account Authentication", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.739931Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "modified": "2023-10-27T20:54:33.739931Z", + "name": "User Account Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.743925Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "modified": "2023-10-27T20:54:33.743925Z", + "name": "User Account Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.757924Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "modified": "2023-10-27T20:54:33.757924Z", + "name": "User Account Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.762922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "modified": "2023-10-27T20:54:33.762922Z", + "name": "User Account Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.860987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "modified": "2023-10-27T20:54:33.860987Z", + "name": "Active Directory Object Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.865986Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e9adf20c-691f-488b-8c41-8c460a33c80e", + "modified": "2023-10-27T20:54:33.865986Z", + "name": "Active Directory Object Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.867987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2a0b2a05-c2e4-4fd4-968f-1d4dc130aa20", + "modified": "2023-10-27T20:54:33.867987Z", + "name": "Active Directory Object Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.871985Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ac7a968c-ff19-425c-b2f4-919f0498b487", + "modified": "2023-10-27T20:54:33.871985Z", + "name": "Active Directory Object Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.881987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0238a154-faee-449c-b81c-8e99c6222642", + "modified": "2023-10-27T20:54:33.881987Z", + "name": "Active Directory Object Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.883987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "modified": "2023-10-27T20:54:33.883987Z", + "name": "Active Directory Object Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.899989Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--4899428d-5728-4dfc-8fa9-ad44ef2728c4", + "modified": "2023-10-27T20:54:33.899989Z", + "name": "Certificate Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.901998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2fda5c2d-3355-4ee3-b4e5-bd46c225ba36", + "modified": "2023-10-27T20:54:33.901998Z", + "name": "Certificate Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.903988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--37025b73-555a-4193-8308-66f0ae19e346", + "modified": "2023-10-27T20:54:33.903988Z", + "name": "Certificate Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.904988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2ffc76e9-adc4-4be7-a8b3-42a384a7f045", + "modified": "2023-10-27T20:54:33.904988Z", + "name": "Certificate Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.909993Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "modified": "2023-10-27T20:54:33.909993Z", + "name": "Cloud Service Account", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-source", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.911003Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--20829e89-bfc7-42b5-865a-8ab293f336f2", + "modified": "2023-10-27T20:54:33.911003Z", + "name": "Cloud Service Account Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.912986Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fa47a8fd-06bc-401f-afcd-3c2bfd2981e3", + "modified": "2023-10-27T20:54:33.912986Z", + "name": "Cloud Service Account Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9b00aef6-8633-48b6-9804-c86230ff13f7", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.917988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d8e74209-5fde-4d9b-9219-a9659aa4ad58", + "modified": "2023-10-27T20:54:33.917988Z", + "name": "Cloud Service Disable", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.919998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a6d9134e-e0bc-4412-9c2f-3738c1d3970d", + "modified": "2023-10-27T20:54:33.919998Z", + "name": "Cloud Service Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--b1ddede4-cafe-4955-ac4c-14b33ac3f647", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.920998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d4200521-f4c9-4f54-a730-224247675d3e", + "modified": "2023-10-27T20:54:33.920998Z", + "name": "Group Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.927065Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "modified": "2023-10-27T20:54:33.927065Z", + "name": "Group Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.93106Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a11c0e08-068a-4acb-b37e-0320ac338d83", + "modified": "2023-10-27T20:54:33.93106Z", + "name": "Group Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.940158Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "modified": "2023-10-27T20:54:33.940158Z", + "name": "Group Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.946214Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--9e1ca964-bfba-4c03-aae8-b7914a9e3a97", + "modified": "2023-10-27T20:54:33.946214Z", + "name": "Image Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.948128Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2fd7e00a-f33a-4ae8-bf98-d75aec1b1b75", + "modified": "2023-10-27T20:54:33.948128Z", + "name": "Image Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.950131Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--027f3050-3242-49f8-9837-3bfae23d45e8", + "modified": "2023-10-27T20:54:33.950131Z", + "name": "Instance Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.967128Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3ee04f41-a5f8-4a78-a738-8876217101bf", + "modified": "2023-10-27T20:54:33.967128Z", + "name": "Instance Start", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.969128Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--c893f813-bc12-4bad-935a-baa01bf797b4", + "modified": "2023-10-27T20:54:33.969128Z", + "name": "Instance Stop", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--45232bc0-e858-440d-aa93-d48c6cf167f0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.974135Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0c409d14-271d-4c75-b1f0-2be860c252f7", + "modified": "2023-10-27T20:54:33.974135Z", + "name": "Snapshot Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.977489Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e2b8730b-ffe0-4033-a424-c70fced54b0b", + "modified": "2023-10-27T20:54:33.977489Z", + "name": "Snapshot Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.979145Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ab0cc187-152c-4ce7-ab29-8ab97bafd3a3", + "modified": "2023-10-27T20:54:33.979145Z", + "name": "Snapshot Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--6d7de3b7-283d-48f9-909c-60d123d9d768", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.011134Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fde7e1ab-00c3-4a83-8e28-c0f5fcea3aa2", + "modified": "2023-10-27T20:54:34.011134Z", + "name": "User Account Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.135942Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--755e42e8-1960-47d4-87b6-d5f485b98610", + "modified": "2023-10-27T20:54:34.135942Z", + "name": "Volume Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.138014Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d241a43a-9ff3-4d76-b5f4-9992dbf6fba9", + "modified": "2023-10-27T20:54:34.138014Z", + "name": "Volume Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--b0b6d26f-3747-4444-ac7a-239a6ff80cb5", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.171925Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--858b1589-f9ad-482f-9c34-6fa2cddc5a76", + "modified": "2023-10-27T20:54:34.171925Z", + "name": "Active Directory Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.174928Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--22d6dad6-7037-4258-b378-c2464c59d622", + "modified": "2023-10-27T20:54:34.174928Z", + "name": "Application Log Content", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.185931Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--7f894f0a-ff30-49dd-ae5d-0c203c3d7900", + "modified": "2023-10-27T20:54:34.185931Z", + "name": "Certificate Registration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--29aa4e0e-4a26-4f79-a9bc-1ae66df1c923", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.187927Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ca94bc9d-801f-4522-85dd-240c26bb2401", + "modified": "2023-10-27T20:54:34.187927Z", + "name": "Command Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.188927Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--28e91219-e313-41c9-a3ba-c694a0708c81", + "modified": "2023-10-27T20:54:34.188927Z", + "name": "Drive Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.196777Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--806c044c-2cb9-49c6-893e-30675b5e4679", + "modified": "2023-10-27T20:54:34.196777Z", + "name": "Drive Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.19818Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2b1eaec6-4e5f-4ced-ac83-48afe7e24380", + "modified": "2023-10-27T20:54:34.19818Z", + "name": "Drive Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.201183Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--802a661b-37ca-4cd3-94b1-1f20cbd62a98", + "modified": "2023-10-27T20:54:34.201183Z", + "name": "Driver Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.208309Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "modified": "2023-10-27T20:54:34.208309Z", + "name": "File Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.233629Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2cbe4fb0-daf8-46db-9af6-9b43dd48284f", + "modified": "2023-10-27T20:54:34.233629Z", + "name": "Firewall Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.236259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "modified": "2023-10-27T20:54:34.236259Z", + "name": "Firewall Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.238291Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0c03b7eb-2735-4e2a-83e7-0f97b025597f", + "modified": "2023-10-27T20:54:34.238291Z", + "name": "Firmware Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.329569Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--eb6317db-f95f-4132-a7dc-48f331591b13", + "modified": "2023-10-27T20:54:34.329569Z", + "name": "Image Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1ac0ca69-e07e-4b34-9061-e4588e146c52", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.33057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--88f9da10-f773-4391-aa9c-9ab8b0791bba", + "modified": "2023-10-27T20:54:34.33057Z", + "name": "Kernel Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.343671Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--9e564c43-b8f9-44f9-b2a8-7b525590733e", + "modified": "2023-10-27T20:54:34.343671Z", + "name": "Kernel Module Load", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--8765a845-dea1-4cd1-a56f-f54939b7ab9e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.350747Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--76030842-1fa0-431f-b821-0d683b3946ab", + "modified": "2023-10-27T20:54:34.350747Z", + "name": "Named Pipe Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.352744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "modified": "2023-10-27T20:54:34.352744Z", + "name": "Network Share Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.359765Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--9a371db1-9d3b-48bf-a2b3-52519ee56bd2", + "modified": "2023-10-27T20:54:34.359765Z", + "name": "Network Status", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.385844Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--c1de592f-7b86-4c7b-b2ef-03df0d9e9630", + "modified": "2023-10-27T20:54:34.385844Z", + "name": "Process Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.387867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "modified": "2023-10-27T20:54:34.387867Z", + "name": "Process Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.402088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--86a6c50d-2905-48e2-962f-02888494902e", + "modified": "2023-10-27T20:54:34.402088Z", + "name": "Scheduled Job Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.406838Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-source--e7451f92-3a8a-4d49-b401-b97d0c2fed58", + "modified": "2023-10-27T20:54:34.406838Z", + "name": "Scheduled Task", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-source", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.407826Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6e3ce423-8db0-4834-97b9-8ff190f2f15d", + "modified": "2023-10-27T20:54:34.407826Z", + "name": "Scheduled Task Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e7451f92-3a8a-4d49-b401-b97d0c2fed58", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.41011Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--addbbfdc-b803-4934-a50a-f1dca0787274", + "modified": "2023-10-27T20:54:34.41011Z", + "name": "Script Execution", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.412139Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fb908e6d-dcd4-446b-aac3-6b9dc4d4b8c3", + "modified": "2023-10-27T20:54:34.412139Z", + "name": "Service Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.417202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-source--4b7a5400-6819-4d59-8535-aa8fb0b8b043", + "modified": "2023-10-27T20:54:34.417202Z", + "name": "User Interface", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-source", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.417202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e2bbc307-056e-4d0b-9526-ac283d4e1585", + "modified": "2023-10-27T20:54:34.417202Z", + "name": "System Settings", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4b7a5400-6819-4d59-8535-aa8fb0b8b043", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.430042Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "modified": "2023-10-27T20:54:34.430042Z", + "name": "Windows Registry Key Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.437411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "modified": "2023-10-27T20:54:34.437411Z", + "name": "WMI Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.44182Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3a1759fa-96eb-445f-8bb8-955a581be27b", + "modified": "2023-10-27T20:54:34.44182Z", + "name": "WMI Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.461525Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0f563052-0cbb-4d8e-a260-ea15a5553dd5", + "modified": "2023-10-27T20:54:34.461525Z", + "name": "Driver Load", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.469961Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--bc66dfbd-3982-4bea-81f8-015503e08c50", + "modified": "2023-10-27T20:54:34.469961Z", + "name": "Module Load", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.472998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--38ebff0a-95bb-4c81-8c69-006e185123f2", + "modified": "2023-10-27T20:54:34.472998Z", + "name": "Named Pipe Connection", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.474126Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "modified": "2023-10-27T20:54:34.474126Z", + "name": "Named Pipe Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.478308Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "modified": "2023-10-27T20:54:34.478308Z", + "name": "Network Connection Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.484878Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--62941e03-da2b-467b-96b7-b8ef6d6c8fbc", + "modified": "2023-10-27T20:54:34.484878Z", + "name": "Process Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.489047Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--7fa1ea2a-ef03-4797-b4da-ded7431b03a6", + "modified": "2023-10-27T20:54:34.489047Z", + "name": "Windows Registry Key Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.491088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--bd62e695-7bf5-4d81-880b-c63f30635156", + "modified": "2023-10-27T20:54:34.491088Z", + "name": "Windows Registry Key Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.493081Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--f23ad5d9-1cb0-41a0-bfb8-fcda53887dfc", + "modified": "2023-10-27T20:54:34.493081Z", + "name": "Windows Registry Key Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.498234Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0e70fe01-fbc7-4e0a-b9ca-0204cb085952", + "modified": "2023-10-27T20:54:34.498234Z", + "name": "WMI Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.526521Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--41fcc984-6e02-467d-b6df-5e8c03d593ca", + "modified": "2023-10-27T20:54:34.526521Z", + "name": "Active Directory Credential Request", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.561113Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--52ee3a9f-5707-4e94-a6cd-b6bbe9969e96", + "modified": "2023-10-27T20:54:34.561113Z", + "name": "Firewall Disable", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.563223Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--bca991d1-d6c6-4580-9657-6fc479fa3810", + "modified": "2023-10-27T20:54:34.563223Z", + "name": "Firewall Enabled", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.647543Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a2c52e19-78f1-4183-b738-a9c311801e2a", + "modified": "2023-10-27T20:54:34.647543Z", + "name": "Logon Session Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.649545Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2f3228ee-695d-476c-aa4e-4bd76b759b51", + "modified": "2023-10-27T20:54:34.649545Z", + "name": "Logon Session Terminated", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.678095Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--37538723-57a7-47eb-a6be-fc5116c2383b", + "modified": "2023-10-27T20:54:34.678095Z", + "name": "Network Share Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.680095Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2c0938b4-a521-424e-a923-a6c629a3fd06", + "modified": "2023-10-27T20:54:34.680095Z", + "name": "Network Share Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.681094Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--49259d6f-96c8-43d0-ab15-af6024b48086", + "modified": "2023-10-27T20:54:34.681094Z", + "name": "Network Share Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.69164Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--de9af4b8-5e67-4b8b-bc53-89a130ae71f0", + "modified": "2023-10-27T20:54:34.69164Z", + "name": "Scheduled Job Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.692641Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a7d0f588-a51d-40d4-9dc8-22a2500e4709", + "modified": "2023-10-27T20:54:34.692641Z", + "name": "Scheduled Job Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.69464Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--51be98e7-45b6-40cb-86d3-0daf71ebad7e", + "modified": "2023-10-27T20:54:34.69464Z", + "name": "Scheduled Job Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.826689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "modified": "2023-10-27T20:54:34.826689Z", + "name": "Network Traffic Flow", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:33.646871Z", + "data_component": "Command Execution", + "data_source": "Command", + "description": "Triggered when a user-space system configuration change is detected", + "event_id": "USYS_CONFIG", + "id": "x-mitre-sensor-mapping--603eb85b-68db-4990-9f95-9f68df782ee3", + "modified": "2023-10-27T20:54:33.646871Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Configuration", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0017" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "Triggered when a file system relabel operation is detected", + "event_id": "FS_RELABEL", + "id": "x-mitre-sensor-mapping--5dddf95a-bbc5-4082-ba8f-ab090516caf3", + "modified": "2023-10-27T20:54:33.648869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:33.649873Z", + "data_component": "File Access", + "data_source": "File", + "description": "Triggered when suspicious use of file links is detected", + "event_id": "ANOM_LINK", + "id": "x-mitre-sensor-mapping--9e1b5d39-44c4-4742-81c0-a35aefa65fcd", + "modified": "2023-10-27T20:54:33.649873Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.65087Z", + "data_component": "File Access", + "data_source": "File", + "description": "Triggered when a user-space AVC message is generated", + "event_id": "USER_AVC", + "id": "x-mitre-sensor-mapping--a2f36ce1-e4fd-43c5-9417-9dec3d9f12ea", + "modified": "2023-10-27T20:54:33.65087Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "op record field contains value deleting mail file", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--9330ef3c-c690-4a5b-8323-b46a7cdaf839", + "modified": "2023-10-27T20:54:33.65187Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.724924Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "op record field contains value moving home directory", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--077922ca-a790-43eb-b14f-00884e22cfbf", + "modified": "2023-10-27T20:54:33.724924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.726013Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "op record field contains value user lookup", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--d78df75f-1137-41f7-aff8-a586a29d52f5", + "modified": "2023-10-27T20:54:33.726013Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.746927Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting user entries", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--74339526-d782-4ec7-a327-8781c2954c0b", + "modified": "2023-10-27T20:54:33.746927Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.748927Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting user not found", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--51b759c2-d9d1-4c02-965a-63b8cef8daa7", + "modified": "2023-10-27T20:54:33.748927Z", + "relationship": "Errored", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.750925Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting user", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f258b7dc-86e2-44b2-9deb-2c2f56ea3a60", + "modified": "2023-10-27T20:54:33.750925Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.752926Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting user logged in", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f8e4f97f-7af8-4936-8664-ef186070884e", + "modified": "2023-10-27T20:54:33.752926Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.755924Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains value deleting home directory", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--9875e772-7ff4-49a8-8069-a81b50f30851", + "modified": "2023-10-27T20:54:33.755924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.760935Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "op record field contains value unlock password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--bc5ae21c-ba54-4620-84ff-138b537adff9", + "modified": "2023-10-27T20:54:33.760935Z", + "relationship": "Unlocked", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.762922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--b9e37822-25fc-492a-be88-1a7bd08176eb", + "modified": "2023-10-27T20:54:33.762922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.764924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--7b8e0ca7-7288-4a9c-9319-25fe0d147e0a", + "modified": "2023-10-27T20:54:33.764924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.765938Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change expired password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--928f2f8c-0d58-43a8-b013-7369ad52908d", + "modified": "2023-10-27T20:54:33.765938Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.766926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change age", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--61022c5f-b3d0-4055-b856-414aa7e4e867", + "modified": "2023-10-27T20:54:33.766926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.768924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change max age", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--98bdad7c-72a5-4472-b8ed-f2d4dc74dab2", + "modified": "2023-10-27T20:54:33.768924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.770928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change min age", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--3dc59ca3-796c-4568-a1c7-2f1cb3ab0788", + "modified": "2023-10-27T20:54:33.770928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.771929Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change passwd warning", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f500e4d5-2e70-43b1-998a-a213d4fd776b", + "modified": "2023-10-27T20:54:33.771929Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.773922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change inactive days", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--6a4239a5-d510-493c-b5cf-96c89a37092f", + "modified": "2023-10-27T20:54:33.773922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.774923Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change passwd expiration", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--0ae7eb31-24ed-4011-b9b2-30d054149543", + "modified": "2023-10-27T20:54:33.774923Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.777082Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change last change date", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--a5162530-6e72-498f-9cbe-29620d0c83ee", + "modified": "2023-10-27T20:54:33.777082Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.777925Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value change all aging information", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--20e09e61-aae0-46c3-9ff5-7b5f01be54df", + "modified": "2023-10-27T20:54:33.777925Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.778924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value password attribute change", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--a39b4fd8-6b26-4352-b1aa-c1d25b5d3d92", + "modified": "2023-10-27T20:54:33.778924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.779925Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value password aging data updated", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--c10b9619-1e9c-469d-bdc7-e0bddb3644b1", + "modified": "2023-10-27T20:54:33.779925Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.780924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value display aging info", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f52953e8-81fb-48db-a8a8-f69a202df41b", + "modified": "2023-10-27T20:54:33.780924Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.782924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value password status display", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--14a923dc-0409-4cc2-8cab-6381e22c7d2d", + "modified": "2023-10-27T20:54:33.782924Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.783924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value password status displayed for user", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--3754cc2f-f5e8-484e-b751-4f459d85b98d", + "modified": "2023-10-27T20:54:33.783924Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.784924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding to group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--2194287a-a15f-48fa-901f-2536132ea5ec", + "modified": "2023-10-27T20:54:33.784924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.785922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding group member", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f0278e2d-10eb-48db-8215-2d526fbaa489", + "modified": "2023-10-27T20:54:33.785922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.786923Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding user to group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--68241c2a-a789-41c5-8f9e-61abc8f7e078", + "modified": "2023-10-27T20:54:33.786923Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.787922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding user to shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--bd8be1f4-e87c-445d-bb13-4454ab607a52", + "modified": "2023-10-27T20:54:33.787922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.790929Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing primary group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--1840a076-c449-40b6-accd-0c8b67111575", + "modified": "2023-10-27T20:54:33.790929Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.792928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing group member", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--5ce7a16f-b4bb-4901-b1cb-a90db0a7d91b", + "modified": "2023-10-27T20:54:33.792928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.793927Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing admin name in shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--d1b0a83a-1aee-4290-87eb-ebba0e4208af", + "modified": "2023-10-27T20:54:33.793927Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.795921Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing member in shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--f0247ebf-796b-4f54-ace3-734d0ab3737c", + "modified": "2023-10-27T20:54:33.795921Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.796921Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting group password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--abb453f1-4428-4721-96d6-8f1f3b852af7", + "modified": "2023-10-27T20:54:33.796921Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.797921Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting member", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--02c400a7-3566-43f2-8949-7ed5783da97a", + "modified": "2023-10-27T20:54:33.797921Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.798926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting user from group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--9884897c-7d9b-4359-a4fd-0006cf22d80b", + "modified": "2023-10-27T20:54:33.798926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.799921Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting user from shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--c262705d-82f2-4713-ae98-50576bda7cce", + "modified": "2023-10-27T20:54:33.799921Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.801924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value removing group member", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--cd8d0f1e-5a3d-4dcb-b7bf-6452252ebd43", + "modified": "2023-10-27T20:54:33.801924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.802926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value removing user from shadow group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--4012b66e-0bcc-47e9-855b-c97410335463", + "modified": "2023-10-27T20:54:33.802926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.804922Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--b8b2739d-8031-4de9-bdf8-8b532eb81bd2", + "modified": "2023-10-27T20:54:33.804922Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.806927Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value deleting group", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--33a7711f-67b1-42a3-95f9-edc23127ffd9", + "modified": "2023-10-27T20:54:33.806927Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.808928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding user", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--4b2dd49d-8a8d-4ce1-86ec-8e9361d599b3", + "modified": "2023-10-27T20:54:33.808928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.810924Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value adding home directory", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--7e30de90-f421-40e1-b4b9-a7306a0bc6e8", + "modified": "2023-10-27T20:54:33.810924Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.811926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value lock password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--a073b468-4e38-4010-9f55-0bb916365787", + "modified": "2023-10-27T20:54:33.811926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.813928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value delete password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--6695c5ad-7d36-4955-9bce-087942525ecb", + "modified": "2023-10-27T20:54:33.813928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.816193Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value updating password", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--61f4bf9d-9f6c-4e64-9f94-ee5aa1c6c5c8", + "modified": "2023-10-27T20:54:33.816193Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.817926Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing name", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--7d939f13-c215-4542-89f3-a0f9eca8d4cd", + "modified": "2023-10-27T20:54:33.817926Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.819927Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing uid", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--e9cda13b-7d0a-451d-929c-849a817ce1de", + "modified": "2023-10-27T20:54:33.819927Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.820928Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing home directory", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--fe7062f1-73a5-4270-bacf-41e7ae4ac7f2", + "modified": "2023-10-27T20:54:33.820928Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.824003Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing mail file name", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--ed094905-68f4-4c46-be41-46949c5da85b", + "modified": "2023-10-27T20:54:33.824003Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.825003Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "op record field contains value changing mail file owner", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--d38288dc-6bef-46a9-9921-19cc5fd19f47", + "modified": "2023-10-27T20:54:33.825003Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.826078Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Triggered when a user account password or PIN is modified", + "event_id": "USER_CHAUTHTOK", + "id": "x-mitre-sensor-mapping--2bfd5de8-b50b-4391-8b67-c554fd8652d7", + "modified": "2023-10-27T20:54:33.826078Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.65287Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Triggered when an object is exported with an SELinux label", + "event_id": "USER_LABELED_EXPORT", + "id": "x-mitre-sensor-mapping--e2719b8c-a421-4863-8719-756621205438", + "modified": "2023-10-27T20:54:33.65287Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.65387Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Triggered when an object is exported without an SELinux label", + "event_id": "USER_UNLABELED_EXPORT", + "id": "x-mitre-sensor-mapping--af3a8ec0-9667-4e07-ba73-bf63d35e8b01", + "modified": "2023-10-27T20:54:33.65387Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.656868Z", + "data_component": "File Modification", + "data_source": "File", + "description": "Triggered when an object's level label is modified", + "event_id": "LABEL_LEVEL_CHANGE", + "id": "x-mitre-sensor-mapping--79083c90-03df-4022-8817-edca78e63e8c", + "modified": "2023-10-27T20:54:33.656868Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.65787Z", + "data_component": "File Modification", + "data_source": "File", + "description": "Triggered when administrator overrides object's level label", + "event_id": "LABEL_OVERRIDE", + "id": "x-mitre-sensor-mapping--9914aa55-b37e-450b-b38e-536e747c7dda", + "modified": "2023-10-27T20:54:33.65787Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:33.661868Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "Triggered when Netfilter chain modifications are detected", + "event_id": "NETFILTER_CFG", + "id": "x-mitre-sensor-mapping--99573857-176c-4d12-9c07-db462dc7d842", + "modified": "2023-10-27T20:54:33.661868Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:33.66387Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "Triggered when a user-space group is added", + "event_id": "ADD_GROUP", + "id": "x-mitre-sensor-mapping--10f73bf8-fe0b-46b6-a35f-bc90906d92f6", + "modified": "2023-10-27T20:54:33.66387Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.665892Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "Triggered when a user-space group is deleted", + "event_id": "DEL_GROUP", + "id": "x-mitre-sensor-mapping--fe41f444-b001-4e41-a669-f5c68b537797", + "modified": "2023-10-27T20:54:33.665892Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.66787Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Triggered when the system run level is changed", + "event_id": "SYSTEM_RUNLEVEL", + "id": "x-mitre-sensor-mapping--f9477f40-0cb6-4287-8788-309ce2f5b8cb", + "modified": "2023-10-27T20:54:33.66787Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:33.668869Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Triggered when the system is shut down", + "event_id": "SYSTEM_SHUTDOWN", + "id": "x-mitre-sensor-mapping--6a77340e-1e6d-4883-80b8-0bb10d35b807", + "modified": "2023-10-27T20:54:33.668869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:33.669869Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "Triggered to record parameters set during a TLS session establishment", + "event_id": "CRYPTO_SESSION", + "id": "x-mitre-sensor-mapping--8848b561-521d-451c-9019-53019be51f6c", + "modified": "2023-10-27T20:54:33.669869Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.670871Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "Triggered when a user logs in", + "event_id": "USER_LOGIN", + "id": "x-mitre-sensor-mapping--35d97710-3b92-44d7-8f6e-84f1915acdfc", + "modified": "2023-10-27T20:54:33.670871Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.67187Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "Triggered when a user-space session is started", + "event_id": "USER_START", + "id": "x-mitre-sensor-mapping--0315ffda-00bd-42eb-9e95-1d6fdd34fff0", + "modified": "2023-10-27T20:54:33.67187Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.673871Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Triggered to record crypto key identifier used for crypto purposes", + "event_id": "CRYPTO_KEY_USER", + "id": "x-mitre-sensor-mapping--d02bd0bf-4493-4a5f-b37d-8d9925c061c4", + "modified": "2023-10-27T20:54:33.673871Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.67587Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Triggered to record relevant login information when user logs into system", + "event_id": "LOGIN", + "id": "x-mitre-sensor-mapping--acd3a880-1a90-49ff-bbe6-b71bd7820ec6", + "modified": "2023-10-27T20:54:33.67587Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.676868Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Triggered when a user-space session is terminated", + "event_id": "USER_END", + "id": "x-mitre-sensor-mapping--a94a1d6c-fb82-4ab7-b109-bae02fd1710d", + "modified": "2023-10-27T20:54:33.676868Z", + "relationship": "Terminated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.678872Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Triggered when a user logs out", + "event_id": "USER_LOGOUT", + "id": "x-mitre-sensor-mapping--5ceb0d3d-5f43-49bf-8063-da63863471b5", + "modified": "2023-10-27T20:54:33.678872Z", + "relationship": "Terminated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Logon", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.680875Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Triggered when unlabeled traffic is allowed when using packet labeling", + "event_id": "MAC_UNLBL_ALLOW", + "id": "x-mitre-sensor-mapping--5de0ebcd-c17e-4cc0-90a3-73f21ac50870", + "modified": "2023-10-27T20:54:33.680875Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Network", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:33.682872Z", + "data_component": "Process Access", + "data_source": "Process", + "description": "Triggered when TTY input was sent to an administrative process", + "event_id": "TTY", + "id": "x-mitre-sensor-mapping--18081865-f85e-4c00-a4a3-adaa098a3151", + "modified": "2023-10-27T20:54:33.682872Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:33.686035Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "Triggered when a user-space shell command is executed", + "event_id": "USER_CMD", + "id": "x-mitre-sensor-mapping--8ac4056d-1d70-4669-bffd-db00ff247cd3", + "modified": "2023-10-27T20:54:33.686035Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:33.688868Z", + "data_component": "Process Termination", + "data_source": "Process", + "description": "Triggered when a processes ends abnormally (with core dump, if enabled)", + "event_id": "ANOM_ABEND", + "id": "x-mitre-sensor-mapping--743f9189-01a7-43fa-b660-8d8bdfd233f9", + "modified": "2023-10-27T20:54:33.688868Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:33.690869Z", + "data_component": "Service Access", + "data_source": "Service", + "description": "Triggered to record an SELinux permission check", + "event_id": "AVC", + "id": "x-mitre-sensor-mapping--a844e604-a8fa-433c-95cc-fb1ac46b4d77", + "modified": "2023-10-27T20:54:33.690869Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.693867Z", + "data_component": "Service Creation", + "data_source": "Service", + "description": "Triggered when the auditd daemon is started", + "event_id": "DAEMON_START", + "id": "x-mitre-sensor-mapping--3966849a-f767-4636-a850-0364844045af", + "modified": "2023-10-27T20:54:33.693867Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.694868Z", + "data_component": "Service Creation", + "data_source": "Service", + "description": "Triggered when a SELinux Policy file is loaded", + "event_id": "MAC_POLICY_LOAD", + "id": "x-mitre-sensor-mapping--583479cd-7470-485c-951f-abc81cc3052e", + "modified": "2023-10-27T20:54:33.694868Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.696866Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when a daemon is stopped due to an error", + "event_id": "DAEMON_ABORT", + "id": "x-mitre-sensor-mapping--4c3e97e6-0357-4b8c-a121-1e5a0762244d", + "modified": "2023-10-27T20:54:33.696866Z", + "relationship": "Terminated", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.697866Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when a daemon is successfully stopped", + "event_id": "DAEMON_END", + "id": "x-mitre-sensor-mapping--e32f509a-efb0-49b1-9670-59c7e0e8a611", + "modified": "2023-10-27T20:54:33.697866Z", + "relationship": "Terminated", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.698865Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when the auditd daemon resumes logging", + "event_id": "DAEMON_RESUME", + "id": "x-mitre-sensor-mapping--2ee305ab-ccba-433c-8d69-6a9df957855e", + "modified": "2023-10-27T20:54:33.698865Z", + "relationship": "Resumed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.698865Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when the auditd daemon rotates the Audit log files", + "event_id": "DAEMON_ROTATE", + "id": "x-mitre-sensor-mapping--5bb5bc58-129c-49e6-8bbb-dfcf5b7c55ac", + "modified": "2023-10-27T20:54:33.698865Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.699866Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when an internal SELinux error is detected", + "event_id": "SELINUX_ERR", + "id": "x-mitre-sensor-mapping--b64d637e-4748-4dae-89a7-3073fada0fe5", + "modified": "2023-10-27T20:54:33.699866Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.700866Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Triggered when an explanatory msg about TTY input to admin proc is sent", + "event_id": "USER_TTY", + "id": "x-mitre-sensor-mapping--3d483a16-c13c-4d5f-9a2d-13e8e028f620", + "modified": "2023-10-27T20:54:33.700866Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.702865Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when a device enables or disables promiscuous mode", + "event_id": "ANOM_PROMISCUOUS", + "id": "x-mitre-sensor-mapping--f875bb44-bc24-41b4-8238-b1e81c9ea355", + "modified": "2023-10-27T20:54:33.702865Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.703865Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_enabled record field contains 1 or 2", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--3fb6ee59-7cef-41fa-b7ba-3d4ade27150f", + "modified": "2023-10-27T20:54:33.703865Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.704865Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_enabled record field contains 0", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--c4049637-1ee1-4bda-9f5d-238ec36272cd", + "modified": "2023-10-27T20:54:33.704865Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.706871Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "op record field contains add rule", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--ee80284e-6852-41dc-b4bd-7e159dea57f3", + "modified": "2023-10-27T20:54:33.706871Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.707871Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "op record field contains remove rule", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--6df20b5c-8fe7-4220-b1dc-17d653a9ffeb", + "modified": "2023-10-27T20:54:33.707871Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.70887Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_failure record field contains value 0", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--fc99a12c-53ee-452b-8851-c020b6546529", + "modified": "2023-10-27T20:54:33.70887Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.709867Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_failure record field contains value 1", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--e2df85de-119a-4a0a-8842-015ffb3ee586", + "modified": "2023-10-27T20:54:33.709867Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.71087Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "audit_failure record field contains value 2", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--45564e66-b060-4afe-8f2f-045cf937e8de", + "modified": "2023-10-27T20:54:33.71087Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.711868Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "any other CONFIG_CHANGE cases not specified above", + "event_id": "CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--254c3b4c-6e20-467a-92f3-447d4512a0d1", + "modified": "2023-10-27T20:54:33.711868Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.712869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when a daemon configuration change is detected", + "event_id": "DAEMON_CONFIG", + "id": "x-mitre-sensor-mapping--f6d0d4b0-f1ca-43bd-aa28-82cacf78acd9", + "modified": "2023-10-27T20:54:33.712869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.71387Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when Commercial Internet Protocol Security Option user adds a new Domain of Interpretation (DOI) via NetLabel", + "event_id": "MAC_CIPSOV4_ADD", + "id": "x-mitre-sensor-mapping--e7eeaf66-6053-49cc-aa8d-cfb743dafef6", + "modified": "2023-10-27T20:54:33.71387Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.714868Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.", + "event_id": "MAC_CIPSOV4_DEL", + "id": "x-mitre-sensor-mapping--841cce3b-2019-4844-8b90-01f1755c1fbd", + "modified": "2023-10-27T20:54:33.714868Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.715868Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when an SELinux Boolean value is changed", + "event_id": "MAC_CONFIG_CHANGE", + "id": "x-mitre-sensor-mapping--00c2e838-3c11-43ee-8b87-c10c933cd1ac", + "modified": "2023-10-27T20:54:33.715868Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.717153Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.", + "event_id": "MAC_MAP_ADD", + "id": "x-mitre-sensor-mapping--5c3984c1-d866-42fe-9413-6b33bee97e6c", + "modified": "2023-10-27T20:54:33.717153Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.717869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when existing LSM domain mapping is deleted", + "event_id": "MAC_MAP_DEL", + "id": "x-mitre-sensor-mapping--d172c8fe-bf32-4836-a66e-fa448f042e5b", + "modified": "2023-10-27T20:54:33.717869Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.718869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when the SELinux mode is changed (enforcing, permissive, etc)", + "event_id": "MAC_STATUS", + "id": "x-mitre-sensor-mapping--2452e999-3ad7-47ca-a497-67f2d84713b1", + "modified": "2023-10-27T20:54:33.718869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.719869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when an administrator user assigns user to SELinux role", + "event_id": "ROLE_ASSIGN", + "id": "x-mitre-sensor-mapping--9b34b35f-db0f-4edb-9744-23669451f998", + "modified": "2023-10-27T20:54:33.719869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.720869Z", + "data_component": "Service Modification", + "data_source": "Service", + "description": "Triggered when an administrator removes a user from an SELinux role", + "event_id": "ROLE_REMOVE", + "id": "x-mitre-sensor-mapping--7a407e7d-ed0e-43b5-9ade-57d1151b29e9", + "modified": "2023-10-27T20:54:33.720869Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:33.723933Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Triggered when a user refreshes their user-space credentials", + "event_id": "CRED_REFR", + "id": "x-mitre-sensor-mapping--1d85bb3e-2f0f-4dc2-a6f3-9b44496780d7", + "modified": "2023-10-27T20:54:33.723933Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.726922Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when the limit of failed login attempts is reached", + "event_id": "ANOM_LOGIN_FAILURES", + "id": "x-mitre-sensor-mapping--d6f381a3-fcb5-4bc9-ab49-d17d0fc2bf5f", + "modified": "2023-10-27T20:54:33.726922Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.727922Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a login atempt is made from forbidden location", + "event_id": "ANOM_LOGIN_LOCATION", + "id": "x-mitre-sensor-mapping--5130362d-ab38-4b88-987b-39cb0168ce2d", + "modified": "2023-10-27T20:54:33.727922Z", + "relationship": "Closed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.728922Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a login attempt reaches max amount of sessions", + "event_id": "ANOM_LOGIN_SESSIONS", + "id": "x-mitre-sensor-mapping--2a34ded5-6628-40a0-b8a5-0fd8fa14e7ab", + "modified": "2023-10-27T20:54:33.728922Z", + "relationship": "Closed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.729931Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a login attempt is made at a time when prevented", + "event_id": "ANOM_LOGIN_TIME", + "id": "x-mitre-sensor-mapping--d31a9924-412e-4b05-9a71-ab4b4b9e46ca", + "modified": "2023-10-27T20:54:33.729931Z", + "relationship": "Closed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.732923Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a user account is locked", + "event_id": "RESP_ACCT_LOCK", + "id": "x-mitre-sensor-mapping--d4e19f25-84a3-4202-a212-2d03f1d86cdc", + "modified": "2023-10-27T20:54:33.732923Z", + "relationship": "Locked", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.735923Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when user account is unlocked after configured time", + "event_id": "RESP_ACCT_UNLOCK_TIMED", + "id": "x-mitre-sensor-mapping--49fa051c-f24f-474a-9558-47281b508ef7", + "modified": "2023-10-27T20:54:33.735923Z", + "relationship": "Unlocked", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.736922Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a user-space user authorization attempt is detected", + "event_id": "USER_ACCT", + "id": "x-mitre-sensor-mapping--e6e7f723-0500-4fe2-9031-ed3d96407cda", + "modified": "2023-10-27T20:54:33.736922Z", + "relationship": "Authorized", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.738924Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Triggered when a user-space user authentication attempt is detected", + "event_id": "USER_AUTH", + "id": "x-mitre-sensor-mapping--10bf2854-1c41-4cee-9681-333a75444b65", + "modified": "2023-10-27T20:54:33.738924Z", + "relationship": "Authenticates", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.740927Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "Triggered when a user-space user account is created", + "event_id": "ADD_USER", + "id": "x-mitre-sensor-mapping--42b6fbc9-b608-47c5-92de-85965906047f", + "modified": "2023-10-27T20:54:33.740927Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.741926Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "Triggered when a user-space account addition ends abnormally", + "event_id": "ANOM_ADD_ACCOUNT", + "id": "x-mitre-sensor-mapping--80f46219-20d7-416c-bcbe-46d665389520", + "modified": "2023-10-27T20:54:33.741926Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.742926Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "op record field contains add SELinux user record", + "event_id": "USER_ROLE_CHANGE", + "id": "x-mitre-sensor-mapping--2b2f13cc-d37d-4754-ab66-cce362360579", + "modified": "2023-10-27T20:54:33.742926Z", + "relationship": "Created", + "revoked": false, + "source": "Process/Suer", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.756926Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "op record field contains delete SELinux user record", + "event_id": "USER_ROLE_CHANGE", + "id": "x-mitre-sensor-mapping--17aa1808-6d6d-4216-95a4-76143460e4b8", + "modified": "2023-10-27T20:54:33.756926Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.827998Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "any other USER_ROLE_CHANGE cases not specified above", + "event_id": "USER_ROLE_CHANGE", + "id": "x-mitre-sensor-mapping--35a89c44-5591-410a-96eb-ee59b3c9d013", + "modified": "2023-10-27T20:54:33.827998Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.743925Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "Triggered when a user-space account deletion ends abnormally", + "event_id": "ANOM_DEL_ACCOUNT", + "id": "x-mitre-sensor-mapping--0521e52d-0796-4cbf-a299-50d5e99e2df2", + "modified": "2023-10-27T20:54:33.743925Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.744926Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "Triggered when a user-space user is deleted", + "event_id": "DEL_USER", + "id": "x-mitre-sensor-mapping--93b81312-850b-4ef3-9ed7-4cac1c86a65b", + "modified": "2023-10-27T20:54:33.744926Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.758937Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Triggered when a user acquires user-space credentials", + "event_id": "CRED_ACQ", + "id": "x-mitre-sensor-mapping--e071bbd3-336c-4477-8063-8a163aedbdb4", + "modified": "2023-10-27T20:54:33.758937Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.759935Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Triggered when a user disposes of user-space credentials", + "event_id": "CRED_DISP", + "id": "x-mitre-sensor-mapping--07e77dc0-984f-4cae-81a0-fb239a35a14f", + "modified": "2023-10-27T20:54:33.759935Z", + "relationship": "Deleted", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.761935Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Triggered when a user account state error is detected", + "event_id": "USER_ERR", + "id": "x-mitre-sensor-mapping--9f86adf9-75fe-4df0-a756-36fbef54cba7", + "modified": "2023-10-27T20:54:33.761935Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.864987Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM.", + "event_id": "GetOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--62c1d975-6ccb-43e0-87fe-12e0eb9d12e4", + "modified": "2023-10-27T20:54:33.864987Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Connect Provider", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.866986Z", + "data_component": "Active Directory Object Creation", + "data_source": "Active Directory", + "description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).\n\nThe OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.", + "event_id": "CreateOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--3a30c732-cd91-446d-b7c5-a2b86d5ec882", + "modified": "2023-10-27T20:54:33.866986Z", + "relationship": "Create", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Iam Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.868986Z", + "data_component": "Active Directory Object Deletion", + "data_source": "Active Directory", + "description": "Deletes an OpenID Connect identity provider (IdP) resource object in IAM.\n\nDeleting an IAM OIDC provider resource does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a deleted provider fails.", + "event_id": "DeleteOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--6b12c0ec-78a1-469e-95a4-eb136e15bbad", + "modified": "2023-10-27T20:54:33.868986Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Oidc Identity Provider", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.869986Z", + "data_component": "Active Directory Object Deletion", + "data_source": "Active Directory", + "description": "Deletes a SAML provider resource in IAM.\n\nDeleting the provider resource from IAM does not update any roles that reference the SAML provider resource's ARN as a principal in their trust policies. Any attempt to assume a role that references a non-existent provider resource ARN fails.", + "event_id": "DeleteSAMLProvider", + "id": "x-mitre-sensor-mapping--684c5a2c-12ba-4bbb-8bf9-caaa7cd2881d", + "modified": "2023-10-27T20:54:33.869986Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.873993Z", + "data_component": "Active Directory Object Enumeration", + "data_source": "Active Directory", + "description": "Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.", + "event_id": "ListOpenIDConnectProviders", + "id": "x-mitre-sensor-mapping--1c90607e-f262-411a-88e8-cd982db42993", + "modified": "2023-10-27T20:54:33.873993Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Openidconnectproviders (Oicp)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.875988Z", + "data_component": "Active Directory Object Enumeration", + "data_source": "Active Directory", + "description": "Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible identity provider. The returned list of tags is sorted by tag key.", + "event_id": "ListOpenIDConnectProviderTags", + "id": "x-mitre-sensor-mapping--cc52c614-c9a9-40cb-8570-89f1906771bd", + "modified": "2023-10-27T20:54:33.875988Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.878988Z", + "data_component": "Active Directory Object Enumeration", + "data_source": "Active Directory", + "description": "Lists the SAML provider resource objects defined in IAM in the account.", + "event_id": "ListSAMLProviders", + "id": "x-mitre-sensor-mapping--244f3a73-dd29-4c7d-b4cb-060ae684b530", + "modified": "2023-10-27T20:54:33.878988Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.879988Z", + "data_component": "Active Directory Object Enumeration", + "data_source": "Active Directory", + "description": "Lists the tags that are attached to the specified Security Assertion Markup Language (SAML) identity provider. The returned list of tags is sorted by tag key.", + "event_id": "ListSAMLProviderTags", + "id": "x-mitre-sensor-mapping--21eaabf2-a903-4d6a-8072-3f5bb80fa78e", + "modified": "2023-10-27T20:54:33.879988Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.882988Z", + "data_component": "Active Directory Object Metadata", + "data_source": "Active Directory", + "description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.\n\nThe SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.\n\nWhen you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP.", + "event_id": "CreateSAMLProvider", + "id": "x-mitre-sensor-mapping--802c9e7c-c0fc-456e-bf8c-266f8b3171ec", + "modified": "2023-10-27T20:54:33.882988Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Saml Provider", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.884987Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource.", + "event_id": "AddClientIDToOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--11a38397-63ba-486a-b921-72b01192d62d", + "modified": "2023-10-27T20:54:33.884987Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.886192Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object.", + "event_id": "RemoveClientIDFromOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--cc8d1949-f9e0-45b0-a3a6-38c6e677ddce", + "modified": "2023-10-27T20:54:33.886192Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.887988Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider.", + "event_id": "TagOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--7e5f7094-c336-4d39-960b-7a661d40701c", + "modified": "2023-10-27T20:54:33.887988Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.892988Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider.", + "event_id": "TagSAMLProvider", + "id": "x-mitre-sensor-mapping--296e7103-17f3-49dc-a1c3-6299eeeca837", + "modified": "2023-10-27T20:54:33.892988Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.894991Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Removes the specified tags from the specified OpenID Connect (OIDC)-compatible identity provider in IAM.", + "event_id": "UntagOpenIDConnectProvider", + "id": "x-mitre-sensor-mapping--9a140771-ea47-4abc-b9ba-f97ca174b85e", + "modified": "2023-10-27T20:54:33.894991Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.895989Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Removes the specified tags from the specified Security Assertion Markup Language (SAML) identity provider in IAM.", + "event_id": "UntagSAMLProvider", + "id": "x-mitre-sensor-mapping--67be93ca-ee09-40d1-9c55-e56980678307", + "modified": "2023-10-27T20:54:33.895989Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.897985Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints.", + "event_id": "UpdateOpenIDConnectProviderThumbprint", + "id": "x-mitre-sensor-mapping--950e585c-2611-4725-bd74-4d9095369333", + "modified": "2023-10-27T20:54:33.897985Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.898984Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "Updates the metadata document for an existing SAML provider resource object.", + "event_id": "UpdateSAMLProvider", + "id": "x-mitre-sensor-mapping--d3ab958d-35f5-4e0a-9161-7a9937524931", + "modified": "2023-10-27T20:54:33.898984Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:33.901005Z", + "data_component": "Certificate Access", + "data_source": "Certificate", + "description": "Retrieves information about the specified server certificate stored in IAM.", + "event_id": "GetServerCertificate", + "id": "x-mitre-sensor-mapping--59532e92-5868-4963-ac02-be2c067b6ba1", + "modified": "2023-10-27T20:54:33.901005Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.902991Z", + "data_component": "Certificate Deletion", + "data_source": "Certificate", + "description": "A server certificate has been deleted.", + "event_id": "DeleteServerCertificate", + "id": "x-mitre-sensor-mapping--87ec82bb-0832-40ed-ad55-2e6827fc6fe6", + "modified": "2023-10-27T20:54:33.902991Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.903988Z", + "data_component": "Certificate Enumeration", + "data_source": "Certificate", + "description": "Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the operation returns an empty list.", + "event_id": "ListServerCertificates", + "id": "x-mitre-sensor-mapping--52c2aed6-3189-4b4d-a140-fe6196bec41c", + "modified": "2023-10-27T20:54:33.903988Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.905993Z", + "data_component": "Certificate Modification", + "data_source": "Certificate", + "description": "Adds one or more tags to an IAM server certificate. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagServerCertificate", + "id": "x-mitre-sensor-mapping--aad1aa8e-4536-4258-8184-b2d3af856f4c", + "modified": "2023-10-27T20:54:33.905993Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.907991Z", + "data_component": "Certificate Modification", + "data_source": "Certificate", + "description": "Removes the specified tags from the IAM server certificate.", + "event_id": "UntagServerCertificate", + "id": "x-mitre-sensor-mapping--4b91ba16-7b4a-4cab-a27a-94de021da326", + "modified": "2023-10-27T20:54:33.907991Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.90899Z", + "data_component": "Certificate Modification", + "data_source": "Certificate", + "description": "Updates the name and/or the path of the specified server certificate stored in IAM.", + "event_id": "UpdateServerCertificate", + "id": "x-mitre-sensor-mapping--9c1696b6-a921-45f1-b56b-e98f07865132", + "modified": "2023-10-27T20:54:33.90899Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:33.911003Z", + "data_component": "Cloud Service Account Access", + "data_source": "Cloud Service Account", + "description": "Retrieves the service last accessed data report for AWS Organizations that was previously generated using the GenerateOrganizationsAccessReport operation. This operation retrieves the status of your report job and the report contents.\n..\nTo call this operation, you must be signed in to the management account in your organization. SCPs must be enabled for your organization root. You must have permissions to perform this operation. \n\nFor each service that principals in an account (root user, IAM users, or IAM roles) could access using SCPs, the operation returns details about the most recent access attempt.", + "event_id": "GetOrganizationsAccessReport", + "id": "x-mitre-sensor-mapping--01fcd754-8c8f-4690-a9d3-19aa9adbf040", + "modified": "2023-10-27T20:54:33.911003Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Cloud Service Account Report", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.911985Z", + "data_component": "Cloud Service Account Access", + "data_source": "Cloud Service Account", + "description": "Retrieves the status of your service-linked role deletion.", + "event_id": "GetServiceLinkedRoleDeletionStatus", + "id": "x-mitre-sensor-mapping--58fca9f2-5762-4a36-9fdf-192e70a75ca5", + "modified": "2023-10-27T20:54:33.911985Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.913998Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "Submits a service-linked role deletion request and returns a DeletionTaskId, which you can use to check the status of the deletion. Before you call this operation, confirm that the role has no active sessions and that any resources used by the role in the linked service are deleted.", + "event_id": "DeleteServiceLinkedRole", + "id": "x-mitre-sensor-mapping--20e76b4a-a1fe-4add-b202-4e13993f750b", + "modified": "2023-10-27T20:54:33.913998Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account Service Link", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.914988Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "Generates a report for service last accessed data for AWS Organizations. You can generate a report for any entities (organization root, organizational unit, or account) or policies in your organization.\n\nTo call this operation, you must be signed in using your Organizations management account credentials. You can use your long-term IAM user or root user credentials, or temporary credentials from assuming an IAM role. SCPs must be enabled for your organization root. You must have the required IAM and Organizations permissions.", + "event_id": "GenerateOrganizationsAccessReport", + "id": "x-mitre-sensor-mapping--5a6e4a46-745b-42c9-9726-ea98a0873b11", + "modified": "2023-10-27T20:54:33.914988Z", + "relationship": "Enumerate", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Organization", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.916058Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. \n\n The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.", + "event_id": "GetServiceLastAccessedDetails", + "id": "x-mitre-sensor-mapping--823af662-5701-4411-872b-7da41a74850e", + "modified": "2023-10-27T20:54:33.916058Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.916986Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "After you generate a group or policy report using the GenerateServiceLastAccessedDetails operation, you can use the JobId parameter in GetServiceLastAccessedDetailsWithEntities. This operation retrieves the status of your report job and a list of entities that could have used group or policy permissions to access the specified service.\n\nGroup – For a group report, this operation returns a list of users in the group that could have used the group’s policies in an attempt to access the service.\n\nPolicy – For a policy report, this operation returns a list of entities (users or roles) that could have used the policy in an attempt to access the service.\n\nYou can also use this operation for user or role reports to retrieve details about those entities.", + "event_id": "GetServiceLastAccessedDetailsWithEntities", + "id": "x-mitre-sensor-mapping--982bef99-b48e-4b19-a792-2541ceaa769c", + "modified": "2023-10-27T20:54:33.916986Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.917988Z", + "data_component": "Cloud Service Account Metadata", + "data_source": "Cloud Service Account", + "description": "Resets the password for a service-specific credential. The new password is AWS generated and cryptographically strong. It cannot be configured by the user. Resetting the password immediately invalidates the previous password associated with this user.", + "event_id": "ResetServiceSpecificCredential", + "id": "x-mitre-sensor-mapping--2d463d63-07cf-4d88-a7a0-241e86588af5", + "modified": "2023-10-27T20:54:33.917988Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:33.918998Z", + "data_component": "Cloud Service Disable", + "data_source": "Cloud Service", + "description": "CloudTrail has stopped recording CloudTrail Events. This is a significant red flag and should almost always be avoided.", + "event_id": "StopLogging", + "id": "x-mitre-sensor-mapping--df7eb06b-6ddc-4ad4-9b29-d2c230972d8c", + "modified": "2023-10-27T20:54:33.918998Z", + "relationship": "Disabled", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Cloud Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0025" + }, + { + "created": "2023-10-27T20:54:33.919998Z", + "data_component": "Cloud Service Metadata", + "data_source": "Cloud Service", + "description": "Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours.", + "event_id": "GenerateServiceLastAccessedDetails", + "id": "x-mitre-sensor-mapping--fa7ecba0-776f-4b2b-86f6-70c64bbc6d7a", + "modified": "2023-10-27T20:54:33.919998Z", + "relationship": "Enumerate", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Service Report", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0025" + }, + { + "created": "2023-10-27T20:54:33.921985Z", + "data_component": "Group Access", + "data_source": "Group", + "description": "Returns a list of IAM users that are in the specified IAM group.", + "event_id": "GetGroup", + "id": "x-mitre-sensor-mapping--3072183b-9526-4e5f-87a0-a262a6978d65", + "modified": "2023-10-27T20:54:33.921985Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.923522Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "A new group has been created.", + "event_id": "CreateGroup", + "id": "x-mitre-sensor-mapping--de528f0e-b0b0-48d3-857b-42a071391308", + "modified": "2023-10-27T20:54:33.923522Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.926425Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "An IAM group has been deleted. The group won't have contained any users or policies at time of deletion.", + "event_id": "DeleteGroup", + "id": "x-mitre-sensor-mapping--b5e08873-eed1-48b0-883c-a0f8f162cd73", + "modified": "2023-10-27T20:54:33.926425Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.92806Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "Lists all managed policies that are attached to the specified IAM group.", + "event_id": "ListAttachedGroupPolicies", + "id": "x-mitre-sensor-mapping--8b54a763-ba6f-44fa-b503-dfa64a581955", + "modified": "2023-10-27T20:54:33.92806Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.92906Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "Lists the names of the inline policies that are embedded in the specified IAM group.", + "event_id": "ListGroupPolicies", + "id": "x-mitre-sensor-mapping--bd136bf4-0596-48cc-b71d-c36d9bbdb6c4", + "modified": "2023-10-27T20:54:33.92906Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.92906Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "Lists the IAM groups that have the specified path prefix.", + "event_id": "ListGroups", + "id": "x-mitre-sensor-mapping--fb8f340a-f878-4320-a221-4af53d18a095", + "modified": "2023-10-27T20:54:33.92906Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93006Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "Lists the IAM groups that the specified IAM user belongs to.", + "event_id": "ListGroupsForUser", + "id": "x-mitre-sensor-mapping--a5eb11e3-f6fc-452c-8d9e-4c6dba0e0dee", + "modified": "2023-10-27T20:54:33.93006Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.932061Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "An inline policy for an IAM group has been deleted.", + "event_id": "DeleteGroupPolicy", + "id": "x-mitre-sensor-mapping--453c2021-10f9-4de4-9f53-a4d429f57c94", + "modified": "2023-10-27T20:54:33.932061Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.933048Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Removes the specified managed policy from the specified IAM group.", + "event_id": "DetachGroupPolicy", + "id": "x-mitre-sensor-mapping--60e9fcae-b1b7-4be3-acb4-6cde2b67d268", + "modified": "2023-10-27T20:54:33.933048Z", + "relationship": "Removed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93406Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Retrieves the specified inline policy document that is embedded in the specified IAM group.", + "event_id": "GetGroupPolicy", + "id": "x-mitre-sensor-mapping--b30f7e31-19dd-4d6a-b7d5-1c7fb0e92fce", + "modified": "2023-10-27T20:54:33.93406Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93406Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Lists all IAM users, groups, and roles that the specified managed policy is attached to.", + "event_id": "ListEntitiesForPolicy", + "id": "x-mitre-sensor-mapping--05cca61b-05ff-4679-a2a6-7921a9c56025", + "modified": "2023-10-27T20:54:33.93406Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.113184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists all IAM users, groups, and roles that the specified managed policy is attached to.", + "event_id": "ListEntitiesForPolicy", + "id": "x-mitre-sensor-mapping--58db3a83-3c8d-4c04-8de9-084bebf3b6f9", + "modified": "2023-10-27T20:54:34.113184Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.935048Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service.\n\nThe list of policies returned by the operation depends on the ARN of the identity that you provide.", + "event_id": "ListPoliciesGrantingServiceAccess", + "id": "x-mitre-sensor-mapping--8c90374a-e7e6-4d58-97e4-7e1ae1b4497d", + "modified": "2023-10-27T20:54:33.935048Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.116509Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service.\n\nThe list of policies returned by the operation depends on the ARN of the identity that you provide.", + "event_id": "ListPoliciesGrantingServiceAccess", + "id": "x-mitre-sensor-mapping--208739ea-35e1-422c-8f57-1f255055eab4", + "modified": "2023-10-27T20:54:34.116509Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.936061Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "A policy for an IAM group has been added or updated.", + "event_id": "PutGroupPolicy", + "id": "x-mitre-sensor-mapping--856db6f5-e007-4ed4-a4e6-e87889d8e249", + "modified": "2023-10-27T20:54:33.936061Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.93706Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM group.", + "event_id": "PutGroupPolicy", + "id": "x-mitre-sensor-mapping--4229cf66-27dc-4778-bd40-e6a016e749c2", + "modified": "2023-10-27T20:54:33.93706Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.938061Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.", + "event_id": "GetContextKeysForPrincipalPolicy", + "id": "x-mitre-sensor-mapping--ca9385de-4ce9-4b00-8a30-664a78ef1b3c", + "modified": "2023-10-27T20:54:33.938061Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.102189Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.", + "event_id": "GetContextKeysForPrincipalPolicy", + "id": "x-mitre-sensor-mapping--b25855bd-61d5-4798-be65-85cb1f894acc", + "modified": "2023-10-27T20:54:34.102189Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.942064Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A user has been added to a group.", + "event_id": "AddUserToGroup", + "id": "x-mitre-sensor-mapping--c7bc512c-2379-406b-8772-bf681e90c50b", + "modified": "2023-10-27T20:54:33.942064Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.943595Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A managed policy has been added to an IAM group.", + "event_id": "AttachGroupPolicy", + "id": "x-mitre-sensor-mapping--ce306246-b7f5-4b39-87e9-bb2af0322d88", + "modified": "2023-10-27T20:54:33.943595Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.944141Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A user has been removed from an IAM group.", + "event_id": "RemoveUserFromGroup", + "id": "x-mitre-sensor-mapping--27b3e68a-be33-4bf4-b058-7546532f2c8b", + "modified": "2023-10-27T20:54:33.944141Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.945128Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "Updates the name and/or the path of the specified IAM group.", + "event_id": "UpdateGroup", + "id": "x-mitre-sensor-mapping--dc43677b-382d-4d31-9537-cc27ba8dbc5e", + "modified": "2023-10-27T20:54:33.945128Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:33.94713Z", + "data_component": "Image Creation", + "data_source": "Image", + "description": "Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.", + "event_id": "CreateImage", + "id": "x-mitre-sensor-mapping--8e2c9916-784f-4ed2-94cb-e2dcdc423067", + "modified": "2023-10-27T20:54:33.94713Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Amazon Machine Image(Ami)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0007" + }, + { + "created": "2023-10-27T20:54:33.949134Z", + "data_component": "Image Modification", + "data_source": "Image", + "description": "Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time.", + "event_id": "ModifyImageAttribute", + "id": "x-mitre-sensor-mapping--a3767bbe-bbe0-423b-b277-49fad2a3d678", + "modified": "2023-10-27T20:54:33.949134Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Image", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0007" + }, + { + "created": "2023-10-27T20:54:33.951131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile.", + "event_id": "AddRoleToInstanceProfile", + "id": "x-mitre-sensor-mapping--885bfc14-f96a-4bf4-92ed-0d39eae08834", + "modified": "2023-10-27T20:54:33.951131Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.953131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Creates a new instance profile.", + "event_id": "CreateInstanceProfile", + "id": "x-mitre-sensor-mapping--17d27b9f-66be-448b-b1ab-e32f4528a60d", + "modified": "2023-10-27T20:54:33.953131Z", + "relationship": "Create", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.954131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Deletes the specified instance profile. The instance profile must not have an associated role.", + "event_id": "DeleteInstanceProfile", + "id": "x-mitre-sensor-mapping--6ab3f3fc-84c8-43dc-9cbe-f44e628619ff", + "modified": "2023-10-27T20:54:33.954131Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.956127Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role.", + "event_id": "GetInstanceProfile", + "id": "x-mitre-sensor-mapping--517b3f90-071c-4f16-83e8-f1f1443a2b47", + "modified": "2023-10-27T20:54:33.956127Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.958127Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list.", + "event_id": "ListInstanceProfiles", + "id": "x-mitre-sensor-mapping--d0d0dc7e-c3ab-4587-8d81-910141f2122d", + "modified": "2023-10-27T20:54:33.958127Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.960127Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Lists the instance profiles that have the specified associated IAM role. If there are none, the operation returns an empty list.", + "event_id": "ListInstanceProfilesForRole", + "id": "x-mitre-sensor-mapping--ba66091c-f900-4ae3-aee9-0ec9905b4ed1", + "modified": "2023-10-27T20:54:33.960127Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Profiles", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.962131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Lists the tags that are attached to the specified IAM instance profile. The returned list of tags is sorted by tag key.", + "event_id": "ListInstanceProfileTags", + "id": "x-mitre-sensor-mapping--b9b198e8-3cb8-4b6f-82d4-edb2fd4e29ab", + "modified": "2023-10-27T20:54:33.962131Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.964133Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "An IAM role has been removed from an EC2 instance profile.", + "event_id": "RemoveRoleFromInstanceProfile", + "id": "x-mitre-sensor-mapping--f518d0c0-dd2b-4889-86ac-3946ff578e3b", + "modified": "2023-10-27T20:54:33.964133Z", + "relationship": "Removed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.965131Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Adds one or more tags to an IAM instance profile. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagInstanceProfile", + "id": "x-mitre-sensor-mapping--ca4dcefc-f182-4e82-b277-f0116818b41d", + "modified": "2023-10-27T20:54:33.965131Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.966128Z", + "data_component": "Instance Metadata", + "data_source": "Instance", + "description": "Removes the specified tags from the IAM instance profile.", + "event_id": "UntagInstanceProfile", + "id": "x-mitre-sensor-mapping--f9fba9a1-af87-4760-8d1d-846157c02f18", + "modified": "2023-10-27T20:54:33.966128Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.967128Z", + "data_component": "Instance Start", + "data_source": "Instance", + "description": "An Instance has been launched. From the associated metadata you’ll be able to determine who the owner is, what regions the resources are in, the InstanceType and more.", + "event_id": "RunInstances", + "id": "x-mitre-sensor-mapping--6c14ec55-662f-4a63-93f9-d73fbea1d442", + "modified": "2023-10-27T20:54:33.967128Z", + "relationship": "Creates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.968128Z", + "data_component": "Instance Start", + "data_source": "Instance", + "description": "An instance has been started. Similar metadata to RunInstances will give you an insight into more detail.", + "event_id": "StartInstances", + "id": "x-mitre-sensor-mapping--32d72d8e-3515-4236-bd7a-50f450bea824", + "modified": "2023-10-27T20:54:33.968128Z", + "relationship": "Started", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.970128Z", + "data_component": "Instance Stop", + "data_source": "Instance", + "description": "Stops an Amazon EBS-backed instance.\nSimilar to StartInstances and RunInstances.", + "event_id": "StopInstances", + "id": "x-mitre-sensor-mapping--ad8da69b-d4a5-4c0a-bef2-28db88662aa7", + "modified": "2023-10-27T20:54:33.970128Z", + "relationship": "Stopped", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Instance", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0030" + }, + { + "created": "2023-10-27T20:54:33.971129Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "A user has signed into AWS Management Console. That user could be an account owner, a federated user or an IAM user.", + "event_id": "ConsoleLogin", + "id": "x-mitre-sensor-mapping--cc33d6b4-d7dd-49cf-8b14-1564c78c1340", + "modified": "2023-10-27T20:54:33.971129Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:33.975137Z", + "data_component": "Snapshot Creation", + "data_source": "Snapshot", + "description": "Creates a snapshot of an EBS volume and stores it in Amazon S3.", + "event_id": "CreateSnapshot", + "id": "x-mitre-sensor-mapping--c6e8d83f-56b9-4d64-9dce-32c0379938ea", + "modified": "2023-10-27T20:54:33.975137Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Snapshot", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0020" + }, + { + "created": "2023-10-27T20:54:33.978131Z", + "data_component": "Snapshot Deletion", + "data_source": "Snapshot", + "description": "Deletes the specified snapshot.", + "event_id": "DeleteSnapshot", + "id": "x-mitre-sensor-mapping--b00917cb-6859-4d7b-aa5c-e350b27d7635", + "modified": "2023-10-27T20:54:33.978131Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Snapshot", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0020" + }, + { + "created": "2023-10-27T20:54:33.980131Z", + "data_component": "Snapshot Modification", + "data_source": "Snapshot", + "description": "Adds or removes permission settings for the specified snapshot. You may add or remove specified AWS account IDs from a snapshot's list of create volume permissions, but you cannot do both in a single operation.", + "event_id": "ModifySnapshotAttribute", + "id": "x-mitre-sensor-mapping--89b21aa3-7548-4b23-974a-5592a129ce95", + "modified": "2023-10-27T20:54:33.980131Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Snapshot", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0020" + }, + { + "created": "2023-10-27T20:54:33.983138Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Retrieves information about IAM entity usage and IAM quotas in the AWS account.", + "event_id": "GetAccountSummary", + "id": "x-mitre-sensor-mapping--b43445b5-6f26-41a4-aa0e-cd0a41004d53", + "modified": "2023-10-27T20:54:33.983138Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.984134Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Retrieves the specified SSH public key, including metadata about the key.\n\nThe SSH public key retrieved by this operation is used only for authenticating the associated IAM user to an CodeCommit repository.", + "event_id": "GetSSHPublicKey", + "id": "x-mitre-sensor-mapping--1d5448b1-e06a-4817-86f6-e675bee7df89", + "modified": "2023-10-27T20:54:33.984134Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Ssh Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.986344Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.", + "event_id": "GetUser", + "id": "x-mitre-sensor-mapping--98defa73-fe3c-42ce-b077-6d8010fce0e2", + "modified": "2023-10-27T20:54:33.986344Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.991134Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user.", + "event_id": "CreateVirtualMFADevice", + "id": "x-mitre-sensor-mapping--a8914d08-ee9a-40a0-840c-b4ed9bfa13a6", + "modified": "2023-10-27T20:54:33.991134Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.993133Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.", + "event_id": "DeactivateMFADevice", + "id": "x-mitre-sensor-mapping--d9bf8e04-85c3-4f17-8a16-f2758148e5aa", + "modified": "2023-10-27T20:54:33.993133Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.994136Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Deletes a virtual MFA device.", + "event_id": "DeleteVirtualMFADevice", + "id": "x-mitre-sensor-mapping--03492cfb-d8bc-4418-b019-e86f040df8a9", + "modified": "2023-10-27T20:54:33.994136Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.99615Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Enables the specified MFA device and associates it with the specified IAM user. When enabled, the MFA device is required for every subsequent login by the IAM user associated with the device.", + "event_id": "EnableMFADevice", + "id": "x-mitre-sensor-mapping--ad8494cf-d381-42d8-a5c9-3b717a4f2d6c", + "modified": "2023-10-27T20:54:33.99615Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.998137Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Retrieves information about an MFA device for a specified user.", + "event_id": "GetMFADevice", + "id": "x-mitre-sensor-mapping--b733a6b2-d18a-44f3-b7b6-089be13eed9e", + "modified": "2023-10-27T20:54:33.998137Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:33.999131Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Lists the MFA devices for an IAM user. If the request includes a IAM user name, then this operation lists all the MFA devices associated with the specified user.\n\nIf you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request for this operation.", + "event_id": "ListMFADevices", + "id": "x-mitre-sensor-mapping--9f2a9235-ba55-43a3-bfca-6ff7ecec8ebc", + "modified": "2023-10-27T20:54:33.999131Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.000129Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is sorted by tag key.", + "event_id": "ListMFADeviceTags", + "id": "x-mitre-sensor-mapping--85963163-3fa8-4278-b540-985af695c398", + "modified": "2023-10-27T20:54:34.000129Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.001128Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Lists the virtual MFA devices defined in the AWS account by assignment status. If you do not specify an assignment status, the operation returns a list of all virtual MFA devices.", + "event_id": "ListVirtualMFADevices", + "id": "x-mitre-sensor-mapping--3367ea67-fb56-4546-8eca-0dceff722108", + "modified": "2023-10-27T20:54:34.001128Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.002133Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Synchronizes the specified MFA device with its IAM resource object on the AWS servers.", + "event_id": "ResyncMFADevice", + "id": "x-mitre-sensor-mapping--7a523993-fdec-450f-99aa-d68cd4e7a516", + "modified": "2023-10-27T20:54:34.002133Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.004129Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagMFADevice", + "id": "x-mitre-sensor-mapping--1c74ab35-fa79-42da-8487-b188574ba5da", + "modified": "2023-10-27T20:54:34.004129Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.005128Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Removes the specified tags from the IAM virtual multi-factor authentication (MFA) device.", + "event_id": "UntagMFADevice", + "id": "x-mitre-sensor-mapping--79c1bfa4-9722-4cce-98da-cdd994e269ca", + "modified": "2023-10-27T20:54:34.005128Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Mfa Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.008134Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "A new IAM user has been created for an AWS account.", + "event_id": "CreateUser", + "id": "x-mitre-sensor-mapping--a65f6a88-1402-4bb1-8ed5-e1a87206c932", + "modified": "2023-10-27T20:54:34.008134Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.010134Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "A user has been deleted.", + "event_id": "DeleteUser", + "id": "x-mitre-sensor-mapping--0114a8a0-965c-4677-8a55-f544877de45e", + "modified": "2023-10-27T20:54:34.010134Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.012131Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Returns information about the access key IDs associated with the specified IAM user. If there is none, the operation returns an empty list.", + "event_id": "ListAccessKeys", + "id": "x-mitre-sensor-mapping--a7e0a374-54f5-432b-9485-d724bc979027", + "modified": "2023-10-27T20:54:34.012131Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Access Keys", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.013135Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists the account alias associated with the AWS account (Note: you can have only one).", + "event_id": "ListAccountAliases", + "id": "x-mitre-sensor-mapping--372a76d2-93b6-44e6-a669-18bc142cd24d", + "modified": "2023-10-27T20:54:34.013135Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.014133Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists all managed policies that are attached to the specified IAM user.", + "event_id": "ListAttachedUserPolicies", + "id": "x-mitre-sensor-mapping--c42abfd4-9f46-4df2-a245-63e241c1a40e", + "modified": "2023-10-27T20:54:34.014133Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.016244Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies.", + "event_id": "ListPolicies", + "id": "x-mitre-sensor-mapping--a3174459-87d8-4eb0-8c90-7d646a2d13f7", + "modified": "2023-10-27T20:54:34.016244Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.01713Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Returns information about the service-specific credentials associated with the specified IAM user. If none exists, the operation returns an empty list. The service-specific credentials returned by this operation are used only for authenticating the IAM user to a specific service.", + "event_id": "ListServiceSpecificCredentials", + "id": "x-mitre-sensor-mapping--d0b5f7e8-9833-47f0-8e7f-a404384c7607", + "modified": "2023-10-27T20:54:34.01713Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.018133Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Returns information about the signing certificates associated with the specified IAM user. If none exists, the operation returns an empty list.", + "event_id": "ListSigningCertificates", + "id": "x-mitre-sensor-mapping--3198219e-60dc-4c5a-85b8-9999f43b26ce", + "modified": "2023-10-27T20:54:34.018133Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.019133Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Returns information about the SSH public keys associated with the specified IAM user. If none exists, the operation returns an empty list.", + "event_id": "ListSSHPublicKeys", + "id": "x-mitre-sensor-mapping--0ea29002-5f3f-45bd-84bf-bdd566c3b052", + "modified": "2023-10-27T20:54:34.019133Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Ssh Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.020138Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists the names of the inline policies embedded in the specified IAM user.", + "event_id": "ListUserPolicies", + "id": "x-mitre-sensor-mapping--56ee3cb6-8a25-4ec4-9d34-c55da160fa74", + "modified": "2023-10-27T20:54:34.020138Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.022136Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account.", + "event_id": "ListUsers", + "id": "x-mitre-sensor-mapping--2bdba96c-f947-469f-9f1c-2ed566bd2421", + "modified": "2023-10-27T20:54:34.022136Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.023692Z", + "data_component": "User Account Enumeration", + "data_source": "User Account", + "description": "Lists the tags that are attached to the specified IAM user. The returned list of tags is sorted by tag key.", + "event_id": "ListUserTags", + "id": "x-mitre-sensor-mapping--fd61a3bd-76d7-4f4b-b351-fc80902359db", + "modified": "2023-10-27T20:54:34.023692Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.026661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state.", + "event_id": "CreateServiceLinkedRole", + "id": "x-mitre-sensor-mapping--a96c6fd0-777d-4b92-b777-88f9c77a79a3", + "modified": "2023-10-27T20:54:34.026661Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.02766Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request. These credentials are generated by IAM, and can be used only for the specified service.\n\nYou can have a maximum of two sets of service-specific credentials for each supported service per user.", + "event_id": "CreateServiceSpecificCredential", + "id": "x-mitre-sensor-mapping--e17d16a2-2bbe-41e4-b4df-2b77f660035f", + "modified": "2023-10-27T20:54:34.02766Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.029668Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An access key pair for an IAM user has been deleted.", + "event_id": "DeleteAccessKey", + "id": "x-mitre-sensor-mapping--9ba16ecf-1117-42b9-865d-9b384bcb2891", + "modified": "2023-10-27T20:54:34.029668Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Access Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.030662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An AWS account alias has been deleted.", + "event_id": "DeleteAccountAlias", + "id": "x-mitre-sensor-mapping--8946e2d8-ff55-43a1-9ff8-6f355604a156", + "modified": "2023-10-27T20:54:34.030662Z", + "relationship": "Delete", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account Alias", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.032662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A password policy for an account has been deleted.", + "event_id": "DeleteAccountPasswordPolicy", + "id": "x-mitre-sensor-mapping--e5183f8c-138d-434d-a3ef-893be870b2ae", + "modified": "2023-10-27T20:54:34.032662Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.033663Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A password for an IAM user has been deleted thus removing that user's ability to access services through the console.", + "event_id": "DeleteLoginProfile", + "id": "x-mitre-sensor-mapping--7727209d-e021-492c-b2e5-2e4438cb49dc", + "modified": "2023-10-27T20:54:34.033663Z", + "relationship": "Delete", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.034663Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A version of a policy has been deleted.", + "event_id": "DeletePolicyVersion", + "id": "x-mitre-sensor-mapping--ae801602-b8e7-472f-b556-c4e284829862", + "modified": "2023-10-27T20:54:34.034663Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.037665Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A role has been deleted. The role will not have had any policies attached if it was able to be deleted.", + "event_id": "DeleteRole", + "id": "x-mitre-sensor-mapping--0914a597-ae5f-4a7c-aa28-0e143e839557", + "modified": "2023-10-27T20:54:34.037665Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.038665Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Deletes the permissions boundary for the specified IAM role.\n\nYou cannot set the boundary for a service-linked role.", + "event_id": "DeleteRolePermissionsBoundary", + "id": "x-mitre-sensor-mapping--c2426a73-e158-45af-bd09-691f0ac3dbac", + "modified": "2023-10-27T20:54:34.038665Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Permissions", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.040663Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An inline policy for an IAM role has been deleted.", + "event_id": "DeleteRolePolicy", + "id": "x-mitre-sensor-mapping--ff5608bb-fa99-4e75-9de0-f51246e12d2c", + "modified": "2023-10-27T20:54:34.040663Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.041662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Deletes the specified service-specific credential.", + "event_id": "DeleteServiceSpecificCredential", + "id": "x-mitre-sensor-mapping--41b562dd-7c29-4bf2-a6c1-f8dff32ce151", + "modified": "2023-10-27T20:54:34.041662Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.043661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A signing certificate has been deleted.", + "event_id": "DeleteSigningCertificate", + "id": "x-mitre-sensor-mapping--61241a64-f97b-41f2-a608-94ed02a47f0d", + "modified": "2023-10-27T20:54:34.043661Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Certificate", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.044662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An SSH public key has been deleted.\n\nThe SSH public key deleted by this operation is used only for authenticating the associated IAM user to an CodeCommit repository.", + "event_id": "DeleteSSHPublicKey", + "id": "x-mitre-sensor-mapping--4dd3e9f5-03fe-43e2-909d-7061250f12f6", + "modified": "2023-10-27T20:54:34.044662Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Public Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.045754Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Deletes the permissions boundary for the specified IAM user.", + "event_id": "DeleteUserPermissionsBoundary", + "id": "x-mitre-sensor-mapping--95f9b6d1-38bc-4a02-a5d0-11a3eca5c9ad", + "modified": "2023-10-27T20:54:34.045754Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Permissions", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.04666Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An inline policy for an IAM user has been deleted.", + "event_id": "DeleteUserPolicy", + "id": "x-mitre-sensor-mapping--d6724e61-fe89-40de-b7fb-4c471c49cf5e", + "modified": "2023-10-27T20:54:34.04666Z", + "relationship": "Delete", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.047661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A managed policy has been removed from a role.", + "event_id": "DetachRolePolicy", + "id": "x-mitre-sensor-mapping--4e1f93d0-b753-4a68-882c-02ddd3465f10", + "modified": "2023-10-27T20:54:34.047661Z", + "relationship": "Removed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.04966Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A managed policy has been removed from a user.", + "event_id": "DetachUserPolicy", + "id": "x-mitre-sensor-mapping--965d11e3-ead6-4194-902e-a40a5f27988a", + "modified": "2023-10-27T20:54:34.04966Z", + "relationship": "Removed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.050659Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves a credential report for the AWS account.", + "event_id": "GenerateCredentialReport", + "id": "x-mitre-sensor-mapping--a8161083-2f59-4975-977d-466f619480b3", + "modified": "2023-10-27T20:54:34.050659Z", + "relationship": "Enumerate", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.051659Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves a credential report for the AWS account.", + "event_id": "GetCredentialReport", + "id": "x-mitre-sensor-mapping--277dce9f-bf33-4e3d-9217-5babf2042d3a", + "modified": "2023-10-27T20:54:34.051659Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.053664Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists the names of the inline policies that are embedded in the specified IAM role.", + "event_id": "ListRolePolicies", + "id": "x-mitre-sensor-mapping--7611c64c-d1e9-4aff-bf58-ec116b25b0be", + "modified": "2023-10-27T20:54:34.053664Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.054662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list.", + "event_id": "ListRoles", + "id": "x-mitre-sensor-mapping--5251ff50-9d4a-4244-a38b-cfe5cfa928d1", + "modified": "2023-10-27T20:54:34.054662Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.055662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists the tags that are attached to the specified role. The returned list of tags is sorted by tag key.", + "event_id": "ListRoleTags", + "id": "x-mitre-sensor-mapping--943d08fb-85f8-48b3-8f42-35cee656789b", + "modified": "2023-10-27T20:54:34.055662Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "User Account Tags", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.057663Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds or updates the policy that is specified as the IAM role's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a role. Use the boundary to control the maximum permissions that the role can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the role.", + "event_id": "PutRolePermissionsBoundary", + "id": "x-mitre-sensor-mapping--603037ed-30cd-48e3-b6e9-330e9fe9319c", + "modified": "2023-10-27T20:54:34.057663Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.058662Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A policy for an IAM role has been added or updated.", + "event_id": "PutRolePolicy", + "id": "x-mitre-sensor-mapping--be7f68f1-beda-47e3-afca-86f1f1473a9e", + "modified": "2023-10-27T20:54:34.058662Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.059661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM role.", + "event_id": "PutRolePolicy", + "id": "x-mitre-sensor-mapping--0b1381fc-cf8d-46ca-90ad-a6a1926dcdfa", + "modified": "2023-10-27T20:54:34.059661Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.062664Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds or updates the policy that is specified as the IAM user's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a user. Use the boundary to control the maximum permissions that the user can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the user.", + "event_id": "PutUserPermissionsBoundary", + "id": "x-mitre-sensor-mapping--25a6c4d2-5b54-4104-a03a-cd7edb646f95", + "modified": "2023-10-27T20:54:34.062664Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.064661Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A policy for an IAM user has been added or updated.", + "event_id": "PutUserPolicy", + "id": "x-mitre-sensor-mapping--1c149f36-f883-42dc-aef0-716f2c29cfd7", + "modified": "2023-10-27T20:54:34.064661Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.06679Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds or updates an inline policy document that is embedded in the specified IAM role.", + "event_id": "PutUserPolicy", + "id": "x-mitre-sensor-mapping--ce64350b-150a-44ad-a8e7-e3d629e7fe67", + "modified": "2023-10-27T20:54:34.06679Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.069189Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A version of a policy has been set as a default. This can apply to users, groups and roles. To find specifics, use the ListEntitiesForPolicy API.", + "event_id": "SetDefaultPolicyVersion", + "id": "x-mitre-sensor-mapping--daa080ff-f783-4226-9825-17a899d48c27", + "modified": "2023-10-27T20:54:34.069189Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.070192Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and AWS resources to determine the policies' effective permissions. The policies are provided as strings.", + "event_id": "SimulateCustomPolicy", + "id": "x-mitre-sensor-mapping--d49bce5c-2cdd-4f6a-8b8a-48d8c769e2d2", + "modified": "2023-10-27T20:54:34.070192Z", + "relationship": "Enumerates", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.07119Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to. You can simulate resources that don't exist in your account.", + "event_id": "SimulatePrincipalPolicy", + "id": "x-mitre-sensor-mapping--eb7ca8aa-bf9f-4ea3-a0ed-86ac1707f38f", + "modified": "2023-10-27T20:54:34.07119Z", + "relationship": "Accesses", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.073192Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds one or more tags to an IAM customer managed policy. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagPolicy", + "id": "x-mitre-sensor-mapping--128ac515-2c03-4576-92ec-2480ab2d4675", + "modified": "2023-10-27T20:54:34.073192Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.074186Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Adds one or more tags to an IAM role. The role can be a regular role or a service-linked role. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagRole", + "id": "x-mitre-sensor-mapping--82d8b467-8724-4b63-b0c5-682ae9fabe68", + "modified": "2023-10-27T20:54:34.074186Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.076188Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Removes the specified tags from the customer managed policy.", + "event_id": "Untag Policy", + "id": "x-mitre-sensor-mapping--24fd7f69-ee6e-4c2a-9adf-424e6299e7a6", + "modified": "2023-10-27T20:54:34.076188Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.078185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Removes the specified tags from the role.", + "event_id": "UntagRole", + "id": "x-mitre-sensor-mapping--dbb26ea5-546a-443a-b5fb-b696638f7b3c", + "modified": "2023-10-27T20:54:34.078185Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Metadata (User Tags)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.079195Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Updates the password policy settings for the AWS account.", + "event_id": "UpdateAccountPasswordPolicy", + "id": "x-mitre-sensor-mapping--66546c19-83b4-40ba-9082-804410d5988f", + "modified": "2023-10-27T20:54:34.079195Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.080184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Updates the policy that grants an IAM entity permission to assume a role.", + "event_id": "UpdateAssumeRolePolicy", + "id": "x-mitre-sensor-mapping--d2622ace-4bc1-4130-acf9-d6d834239663", + "modified": "2023-10-27T20:54:34.080184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.081199Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Updates the description or maximum session duration setting of a role.", + "event_id": "UpdateRole", + "id": "x-mitre-sensor-mapping--8ac960c4-9b3d-4cc4-b6ba-6a5cdd94f45f", + "modified": "2023-10-27T20:54:34.081199Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.084188Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A managed policy has been added to an IAM role.", + "event_id": "AttachRolePolicy", + "id": "x-mitre-sensor-mapping--a1527d9e-c440-4547-863f-2c8650bc542f", + "modified": "2023-10-27T20:54:34.084188Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.085189Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A managed policy has been added to an IAM user.", + "event_id": "AttachUserPolicy", + "id": "x-mitre-sensor-mapping--cd95caef-f9a3-402e-9a1e-b72c3a5e9d5e", + "modified": "2023-10-27T20:54:34.085189Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.08647Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A password for an IAM user has been changed.\n\nChanges the password of the IAM user who is calling this operation. This operation can be performed using the AWS CLI, the AWS API, or the My Security Credentials page in the AWS Management Console. The AWS account root user password is not affected by this operation.", + "event_id": "ChangePassword", + "id": "x-mitre-sensor-mapping--508ce1f9-a02a-4931-92d3-d1712a1825d7", + "modified": "2023-10-27T20:54:34.08647Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.088184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A new AWS secret access key and access key ID has been created.", + "event_id": "CreateAccessKey", + "id": "x-mitre-sensor-mapping--ddebed8a-9864-4768-9115-42fb3f47c634", + "modified": "2023-10-27T20:54:34.088184Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Access Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.089187Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Creates an alias for your AWS account.", + "event_id": "CreateAccountAlias", + "id": "x-mitre-sensor-mapping--39498d6c-5e30-4bc1-945f-3aac2367b42e", + "modified": "2023-10-27T20:54:34.089187Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Alias", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.091188Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A new password has been created for a user to access AWS services through the management console.", + "event_id": "CreateLoginProfile", + "id": "x-mitre-sensor-mapping--a9005262-e92b-4d4e-a308-2c9d88f69d73", + "modified": "2023-10-27T20:54:34.091188Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.09319Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A new managed policy has been created for an AWS account.", + "event_id": "CreatePolicy", + "id": "x-mitre-sensor-mapping--34f081d7-5b85-4e83-b9f8-72fe1de57ba8", + "modified": "2023-10-27T20:54:34.09319Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.095188Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version.", + "event_id": "CreatePolicyVersion", + "id": "x-mitre-sensor-mapping--e1f710a0-efb1-49c5-89fb-049aee1ccf31", + "modified": "2023-10-27T20:54:34.095188Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.096199Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A new role for an AWS account has been created.", + "event_id": "CreateRole", + "id": "x-mitre-sensor-mapping--cf65b1a4-aa93-4c88-a941-f65ccc5d7af9", + "modified": "2023-10-27T20:54:34.096199Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.097197Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account.", + "event_id": "GetAccountAuthorizationDetails", + "id": "x-mitre-sensor-mapping--b77759bc-19d1-4057-b2c3-00256312f299", + "modified": "2023-10-27T20:54:34.097197Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.099185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves the password policy for the AWS account. This tells you the complexity requirements and mandatory rotation periods for the IAM user passwords in your account.", + "event_id": "GetAccountPasswordPolicy", + "id": "x-mitre-sensor-mapping--faf752ae-8332-4ea0-b00e-76920d1d0b71", + "modified": "2023-10-27T20:54:34.099185Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Aws Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.1002Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy.", + "event_id": "GetContextKeysForCustomPolicy", + "id": "x-mitre-sensor-mapping--99205d36-a315-4146-a75f-20b54ecd8f87", + "modified": "2023-10-27T20:54:34.1002Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.103204Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves the user name and password-creation date for the specified IAM user.", + "event_id": "GetLoginprofile", + "id": "x-mitre-sensor-mapping--3d045128-a91a-4c73-9f12-43ee5134b9ba", + "modified": "2023-10-27T20:54:34.103204Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.104185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached.", + "event_id": "GetPolicy", + "id": "x-mitre-sensor-mapping--efb0b328-bbf7-41bf-9cdc-febd3af82a23", + "modified": "2023-10-27T20:54:34.104185Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.105186Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves information about the specified version of the specified managed policy, including the policy document.", + "event_id": "GetPolicyVersion", + "id": "x-mitre-sensor-mapping--3996a6e5-702e-498a-bba3-3eb3dd2410ca", + "modified": "2023-10-27T20:54:34.105186Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.108194Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role.", + "event_id": "GetRole", + "id": "x-mitre-sensor-mapping--e4e5f87d-c72d-4a0e-902c-b06493720cb3", + "modified": "2023-10-27T20:54:34.108194Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.10919Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves the specified inline policy document that is embedded with the specified IAM role.", + "event_id": "GetRolePolicy", + "id": "x-mitre-sensor-mapping--927808d3-ef85-4fcd-87ca-b8f3303e0284", + "modified": "2023-10-27T20:54:34.10919Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.111184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Retrieves the specified inline policy document that is embedded in the specified IAM user.", + "event_id": "GetUserPolicy", + "id": "x-mitre-sensor-mapping--73d9a0f7-52a3-48a8-8efb-2bc3a916e2f5", + "modified": "2023-10-27T20:54:34.111184Z", + "relationship": "Accessed", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.112185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists all managed policies that are attached to the specified IAM role.", + "event_id": "ListAttachedRolePolicies", + "id": "x-mitre-sensor-mapping--20d20f81-8471-488c-a680-7dd4338887fd", + "modified": "2023-10-27T20:54:34.112185Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User", + "spec_version": "2.1", + "target": "Role", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.117185Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists the tags that are attached to the specified IAM customer managed policy. The returned list of tags is sorted by tag key.", + "event_id": "ListPolicyTags", + "id": "x-mitre-sensor-mapping--a823a697-3037-4653-90e5-65d08d3b0f5a", + "modified": "2023-10-27T20:54:34.117185Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.119184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version.", + "event_id": "ListPolicyVersions", + "id": "x-mitre-sensor-mapping--8146885b-aa11-421c-a3a7-8ed423f77972", + "modified": "2023-10-27T20:54:34.119184Z", + "relationship": "Enumerates", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.120184Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Changes the password for the specified IAM user.", + "event_id": "UpdateLoginProfile", + "id": "x-mitre-sensor-mapping--4f039a9d-f813-48a8-8fa9-14f11c12c5d9", + "modified": "2023-10-27T20:54:34.120184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.121185Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Sets the specified version of the global endpoint token as the token version used for the AWS account.", + "event_id": "SetSecurityTokenPreferences", + "id": "x-mitre-sensor-mapping--5ca1702a-1495-47d4-972a-5160878d9aef", + "modified": "2023-10-27T20:54:34.121185Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.122184Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Adds one or more tags to an IAM user. If a tag with the same key name already exists, then that tag is overwritten with the new value.", + "event_id": "TagUser", + "id": "x-mitre-sensor-mapping--724d8fd1-6ef8-442b-8745-350a88dcf5aa", + "modified": "2023-10-27T20:54:34.122184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.124186Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Removes the specified tags from the user.", + "event_id": "UntagUser", + "id": "x-mitre-sensor-mapping--8b6399a1-6079-4fb6-b6b4-6fa605b90249", + "modified": "2023-10-27T20:54:34.124186Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account Metadata (User Tags)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.125186Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user's key as part of a key rotation workflow.", + "event_id": "UpdateAccessKey", + "id": "x-mitre-sensor-mapping--43d5a12f-3b32-409f-a2f8-4bac1b1051d1", + "modified": "2023-10-27T20:54:34.125186Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.127184Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Sets the status of a service-specific credential to Active or Inactive. Service-specific credentials that are inactive cannot be used for authentication to the service. This operation can be used to disable a user's service-specific credential as part of a credential rotation work flow.", + "event_id": "UpdateServiceSpecificCredential", + "id": "x-mitre-sensor-mapping--02796475-87ce-4eb4-9994-753119b9be2d", + "modified": "2023-10-27T20:54:34.127184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.128184Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Changes the status of the specified user signing certificate from active to disabled, or vice versa. This operation can be used to disable an IAM user's signing certificate as part of a certificate rotation work flow.", + "event_id": "UpdateSigningCertificate", + "id": "x-mitre-sensor-mapping--1c958f62-e0f6-4ef8-be2e-050b9001512d", + "modified": "2023-10-27T20:54:34.128184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.129184Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Sets the status of an IAM user's SSH public key to active or inactive. SSH public keys that are inactive cannot be used for authentication. This operation can be used to disable a user's SSH public key as part of a key rotation work flow.", + "event_id": "UpdateSSHPublicKey", + "id": "x-mitre-sensor-mapping--7e002710-f808-4d23-b81c-bd54b838fef2", + "modified": "2023-10-27T20:54:34.129184Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.131201Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Updates the name and/or the path of the specified IAM user.", + "event_id": "UpdateUser", + "id": "x-mitre-sensor-mapping--18910039-033a-4f62-8613-48601426d1b7", + "modified": "2023-10-27T20:54:34.131201Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.132204Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.", + "event_id": "UploadServerCertificate", + "id": "x-mitre-sensor-mapping--9afec1b5-9850-4bce-bd45-03a98b25bc9f", + "modified": "2023-10-27T20:54:34.132204Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.134284Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Uploads an X.509 signing certificate and associates it with the specified IAM user.", + "event_id": "UploadSigningCertificate", + "id": "x-mitre-sensor-mapping--026a3960-e700-4da2-b179-4c759c9548cc", + "modified": "2023-10-27T20:54:34.134284Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.134948Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "Uploads an SSH public key and associates it with the specified IAM user.", + "event_id": "UploadSSHPublicKey", + "id": "x-mitre-sensor-mapping--a74c00b4-22e8-4b09-8ac9-86f4c371bd3a", + "modified": "2023-10-27T20:54:34.134948Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.136931Z", + "data_component": "Volume Creation", + "data_source": "Volume", + "description": "Creates an EBS volume that can be attached to an instance in the same Availability Zone.", + "event_id": "CreateVolume", + "id": "x-mitre-sensor-mapping--d145d5e7-3e6c-42fb-a0ad-d0716259a87d", + "modified": "2023-10-27T20:54:34.136931Z", + "relationship": "Create", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Volume", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0034" + }, + { + "created": "2023-10-27T20:54:34.138945Z", + "data_component": "Volume Modification", + "data_source": "Volume", + "description": "Detaches an EBS volume from an instance.", + "event_id": "DetachVolume", + "id": "x-mitre-sensor-mapping--80ab0482-fdbc-4c16-bc92-809f80b6e64d", + "modified": "2023-10-27T20:54:34.138945Z", + "relationship": "Modification", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Volume", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0034" + }, + { + "created": "2023-10-27T20:54:34.14093Z", + "data_component": "Volume Modification", + "data_source": "Volume", + "description": "You can modify several parameters of an existing EBS volume, including volume size, volume type, and IOPS capacity.", + "event_id": "ModifyVolume", + "id": "x-mitre-sensor-mapping--ae947d01-0b87-40d6-a5cd-4394b9d798e7", + "modified": "2023-10-27T20:54:34.14093Z", + "relationship": "Modification", + "revoked": false, + "source": "Iam User/Process", + "spec_version": "2.1", + "target": "Volume", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0034" + }, + { + "created": "2023-10-27T20:54:34.172925Z", + "data_component": "Active Directory Metadata", + "data_source": "Active Directory", + "description": "OS X Active Directory configuration.", + "event_id": "ad_config", + "id": "x-mitre-sensor-mapping--abd593f2-6665-4b11-8784-800df631e16c", + "modified": "2023-10-27T20:54:34.172925Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.173926Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "The managed configuration policies from AD, MDM, MCX, etc.", + "event_id": "managed_policies", + "id": "x-mitre-sensor-mapping--acf0b3d7-d283-49e8-bdc9-0929cbcb856b", + "modified": "2023-10-27T20:54:34.173926Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Active Directory", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.176128Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Content scripts associated with Chrome extensions", + "event_id": "chrome_extension_content_scripts", + "id": "x-mitre-sensor-mapping--c55203a0-173e-4ea3-be1a-f2d106eeb36d", + "modified": "2023-10-27T20:54:34.176128Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Application", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.176931Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Chrome browser extensions", + "event_id": "chrome_extensions", + "id": "x-mitre-sensor-mapping--10f4ef38-6fb9-44b7-a36b-b2bda25e2347", + "modified": "2023-10-27T20:54:34.176931Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.179931Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Firefox browser extensions, webapps, and addons.", + "event_id": "firefox_addons", + "id": "x-mitre-sensor-mapping--9a0ff282-f268-4db6-b8d8-6ecd53e742e6", + "modified": "2023-10-27T20:54:34.179931Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.181933Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Internet Explorer browser extensions.", + "event_id": "ie_extensions", + "id": "x-mitre-sensor-mapping--4e113995-da0e-42c1-ae4f-212b0881a31e", + "modified": "2023-10-27T20:54:34.181933Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.18293Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Opera browser extensions.", + "event_id": "opera_extensions", + "id": "x-mitre-sensor-mapping--5fcf571d-946e-4a40-bcab-4c2fe4ca8931", + "modified": "2023-10-27T20:54:34.18293Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.183927Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "Safari browser extension details for all users.", + "event_id": "safari_extensions", + "id": "x-mitre-sensor-mapping--c540f41a-f066-49ad-9e3e-4632265895dd", + "modified": "2023-10-27T20:54:34.183927Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.183927Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "All C/NPAPI browser plugin details for all users.", + "event_id": "browser_plugins", + "id": "x-mitre-sensor-mapping--2439ac08-dcd3-48b8-bd91-e77a95ba508c", + "modified": "2023-10-27T20:54:34.183927Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.18493Z", + "data_component": "Application Log Content", + "data_source": "Application Log", + "description": "The installed homebrew package database.", + "event_id": "homebrew_packages", + "id": "x-mitre-sensor-mapping--645238a8-f28b-497e-95a7-2008ee1b897f", + "modified": "2023-10-27T20:54:34.18493Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Application Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0015" + }, + { + "created": "2023-10-27T20:54:34.186928Z", + "data_component": "Certificate Registration", + "data_source": "Certificate", + "description": "Certificate Authorities installed in Keychains/ca-bundles.", + "event_id": "certificates", + "id": "x-mitre-sensor-mapping--4e63505f-4749-4437-9725-176d8623cab5", + "modified": "2023-10-27T20:54:34.186928Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0037" + }, + { + "created": "2023-10-27T20:54:34.187927Z", + "data_component": "Command Metadata", + "data_source": "Command", + "description": "A line-delimited (command) table of per-user .*_history data.", + "event_id": "shell_history", + "id": "x-mitre-sensor-mapping--56e97439-0b90-40a7-88f7-64a6d2c201c3", + "modified": "2023-10-27T20:54:34.187927Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Command History", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0017" + }, + { + "created": "2023-10-27T20:54:34.188927Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Retrieve basic information about the physical disks of a system.", + "event_id": "disk_info", + "id": "x-mitre-sensor-mapping--ded17b5f-e088-413a-b761-5069afeb1bb7", + "modified": "2023-10-27T20:54:34.188927Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.19093Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Disk encryption status and information.", + "event_id": "disk_encryption", + "id": "x-mitre-sensor-mapping--842103b7-70b5-4fd2-9136-12b94f7430e4", + "modified": "2023-10-27T20:54:34.19093Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.19093Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Details for logical drives on the system. A logical drive generally represents a single partition.", + "event_id": "logical_drives", + "id": "x-mitre-sensor-mapping--86f5f9f1-72d6-4041-9b32-0b73199dc5d3", + "modified": "2023-10-27T20:54:34.19093Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.191932Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Track DMG disk image events (appearance/disappearance) when opened", + "event_id": "disk_events", + "id": "x-mitre-sensor-mapping--10991cd7-12fe-48ca-94a7-8e33c9763ce4", + "modified": "2023-10-27T20:54:34.191932Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.193929Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Use TSK to enumerate details about partitions on a disk device.", + "event_id": "device_partitions", + "id": "x-mitre-sensor-mapping--d8976aa7-14b9-4395-9635-5535fd310ef2", + "modified": "2023-10-27T20:54:34.193929Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.195779Z", + "data_component": "Drive Access", + "data_source": "Drive", + "description": "Similar to the file table, but use TSK and allow block address access", + "event_id": "device_file", + "id": "x-mitre-sensor-mapping--7b47fc14-6589-4abc-9c42-222463160ac5", + "modified": "2023-10-27T20:54:34.195779Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Disk", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.197191Z", + "data_component": "Drive Creation", + "data_source": "Drive", + "description": "USB devices that are actively plugged into the host system.", + "event_id": "usb_devices", + "id": "x-mitre-sensor-mapping--7b617bd2-6671-4ba9-9222-9a80482e2289", + "modified": "2023-10-27T20:54:34.197191Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.19818Z", + "data_component": "Drive Metadata", + "data_source": "Driver", + "description": "Filesystem hash data.", + "event_id": "hash", + "id": "x-mitre-sensor-mapping--3fcfd0a7-36b8-4b1b-bd28-0e0767377298", + "modified": "2023-10-27T20:54:34.19818Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.199181Z", + "data_component": "Drive Metadata", + "data_source": "Drive", + "description": "Locations backed up to using Time Machine.", + "event_id": "time_machine_destinations", + "id": "x-mitre-sensor-mapping--442d3c19-a447-4cd7-adaa-8a6dc122a6e2", + "modified": "2023-10-27T20:54:34.199181Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.20018Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "Backups to drives using TimeMachine.", + "event_id": "time_machine_backups", + "id": "x-mitre-sensor-mapping--dc2f24e0-c703-4542-8989-586b40ca86b8", + "modified": "2023-10-27T20:54:34.20018Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.201183Z", + "data_component": "Driver Metadata", + "data_source": "Driver", + "description": "Details for in-use Windows device drivers. This does not display installed but unused drivers.", + "event_id": "drivers", + "id": "x-mitre-sensor-mapping--05a724e0-1a76-4d5e-8057-d455a47ab038", + "modified": "2023-10-27T20:54:34.201183Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Driver", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.202198Z", + "data_component": "Driver Metadata", + "data_source": "Driver", + "description": "Retrieve bitlocker status of the machine.", + "event_id": "bitlocker_info", + "id": "x-mitre-sensor-mapping--135f6d07-7755-4830-8983-cbb9cf06b20f", + "modified": "2023-10-27T20:54:34.202198Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Driver", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.203187Z", + "data_component": "Driver Metadata", + "data_source": "Driver", + "description": "The IOKit registry matching the DeviceTree plane.", + "event_id": "iokit_devicetree", + "id": "x-mitre-sensor-mapping--a38bda1d-3c18-4661-8ad1-5d3514cd585d", + "modified": "2023-10-27T20:54:34.203187Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Driver", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.204197Z", + "data_component": "Driver Metadata", + "data_source": "Driver", + "description": "The full IOKit registry without selecting a plane.", + "event_id": "iokit_registry", + "id": "x-mitre-sensor-mapping--00fa1123-0420-4a98-bd8f-94097aa57299", + "modified": "2023-10-27T20:54:34.204197Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Driver", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.205186Z", + "data_component": "File Access", + "data_source": "File", + "description": "Configuration files parsed by augeas", + "event_id": "augeas", + "id": "x-mitre-sensor-mapping--0e5b180c-142f-4c06-93fa-b5e9d4dfc180", + "modified": "2023-10-27T20:54:34.205186Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.206302Z", + "data_component": "File Access", + "data_source": "File", + "description": "View recently opened Office documents.", + "event_id": "office_mru", + "id": "x-mitre-sensor-mapping--ed5c3f01-5ca5-4d52-9efb-1d511aa4b904", + "modified": "2023-10-27T20:54:34.206302Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.207293Z", + "data_component": "File Access", + "data_source": "File", + "description": "Read and parse a plist file.", + "event_id": "plist", + "id": "x-mitre-sensor-mapping--670480c5-57d7-4ca9-a596-d7eaaa22002c", + "modified": "2023-10-27T20:54:34.207293Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.208309Z", + "data_component": "File Creation", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "file_events", + "id": "x-mitre-sensor-mapping--8be8f6d6-fac5-4c5e-80eb-9ccf1f0cad6a", + "modified": "2023-10-27T20:54:34.208309Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.209297Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "file_events", + "id": "x-mitre-sensor-mapping--47a580ce-6181-4e41-bd6b-2070e3436978", + "modified": "2023-10-27T20:54:34.209297Z", + "relationship": "Deleted", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.233081Z", + "data_component": "File Modification", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "file_events", + "id": "x-mitre-sensor-mapping--ce1f0061-dc81-48cb-a99b-2a8216c8400d", + "modified": "2023-10-27T20:54:34.233081Z", + "relationship": "Modified", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.210298Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "File (executable, bundle, installer, disk) code signing status.", + "event_id": "authenticode", + "id": "x-mitre-sensor-mapping--5a7e9f0f-6ef9-4e32-bd0e-cd27ba97062b", + "modified": "2023-10-27T20:54:34.210298Z", + "relationship": "Validated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Signature", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.211302Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "ntfs_journal_events", + "id": "x-mitre-sensor-mapping--3ac9b962-c305-4fcd-95be-3c4d6934f494", + "modified": "2023-10-27T20:54:34.211302Z", + "relationship": "Deleted", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.222617Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Track time/action changes to files specified in configuration data.", + "event_id": "ntfs_journal_events", + "id": "x-mitre-sensor-mapping--4704c5c0-5d54-41c0-8b0a-8d0707a83875", + "modified": "2023-10-27T20:54:34.222617Z", + "relationship": "Modified", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.2123Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF dynamic section information.", + "event_id": "elf_dynamic", + "id": "x-mitre-sensor-mapping--f069ab67-40cb-487a-a444-7737dd182726", + "modified": "2023-10-27T20:54:34.2123Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.213297Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF file information.", + "event_id": "elf_info", + "id": "x-mitre-sensor-mapping--00daa74b-fc79-423c-88c5-fd8d9f07bdf7", + "modified": "2023-10-27T20:54:34.213297Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.214967Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF section information.", + "event_id": "elf_sections", + "id": "x-mitre-sensor-mapping--954135d5-8554-41e1-8eaa-d33f33988727", + "modified": "2023-10-27T20:54:34.214967Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.215961Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF segments information.", + "event_id": "elf_segments", + "id": "x-mitre-sensor-mapping--eec991a4-564d-4e5c-abca-bd8165273389", + "modified": "2023-10-27T20:54:34.215961Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.216607Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "ELF symbol list.", + "event_id": "elf_symbols", + "id": "x-mitre-sensor-mapping--9a9f302b-0b0c-48c7-82b0-af5d93f6cc75", + "modified": "2023-10-27T20:54:34.216607Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.217604Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Returns the extended attributes for files (similar to Windows ADS).", + "event_id": "extended_attributes", + "id": "x-mitre-sensor-mapping--cf55045a-74f1-4d3e-8351-d28af9baf04d", + "modified": "2023-10-27T20:54:34.217604Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.218594Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Interactive filesystem attributes and metadata.", + "event_id": "file", + "id": "x-mitre-sensor-mapping--f764c4df-e6cd-4715-a486-893048d4a229", + "modified": "2023-10-27T20:54:34.218594Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.2196Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Magic number recognition library table.", + "event_id": "magic", + "id": "x-mitre-sensor-mapping--433fde69-022c-422e-a3a5-6eee521a0407", + "modified": "2023-10-27T20:54:34.2196Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.220598Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Retrieve NTFS ACL permission information for files and directories.", + "event_id": "ntfs_acl_permissions", + "id": "x-mitre-sensor-mapping--2a42ea93-53e7-46b2-8597-6c26a783b643", + "modified": "2023-10-27T20:54:34.220598Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.221597Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "File (executable, bundle, installer, disk) code signing status.", + "event_id": "signature", + "id": "x-mitre-sensor-mapping--156e5a95-c045-4ddf-9ce5-01435f792228", + "modified": "2023-10-27T20:54:34.221597Z", + "relationship": "Created", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Signature", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.22408Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "A File Integrity Monitor implementation using the audit service.", + "event_id": "process_file_events", + "id": "x-mitre-sensor-mapping--67bc0598-0f7e-43a4-976c-3edfdf972f6d", + "modified": "2023-10-27T20:54:34.22408Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.225971Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Similar to the hash table, but use TSK and allow block address access", + "event_id": "device_hash", + "id": "x-mitre-sensor-mapping--56bcb499-9781-4616-ab6d-a2e1b039f675", + "modified": "2023-10-27T20:54:34.225971Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.22697Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "OS X package bill of materials (BOM) file list.", + "event_id": "package_bom", + "id": "x-mitre-sensor-mapping--ce7dccf7-2f7d-46ff-8c56-896f6bb64747", + "modified": "2023-10-27T20:54:34.22697Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.227964Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Files and thumbnails within OS X's Quicklook Cache.", + "event_id": "quicklook_cache", + "id": "x-mitre-sensor-mapping--4be76a2a-38c0-4a39-862c-53f9a5a2b088", + "modified": "2023-10-27T20:54:34.227964Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.229009Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Application Compatibility Cache, contains artifacts of execution.", + "event_id": "shimcache", + "id": "x-mitre-sensor-mapping--0307600c-1b97-4a2d-ad6d-c538cf841079", + "modified": "2023-10-27T20:54:34.229009Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.230005Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Run searches against the spotlight database.", + "event_id": "mdfind", + "id": "x-mitre-sensor-mapping--1ae9ee07-8995-411f-8aa1-fdb2fb5204b8", + "modified": "2023-10-27T20:54:34.230005Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.231041Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "Query file metadata in the Spotlight database.", + "event_id": "mdls", + "id": "x-mitre-sensor-mapping--107d35e1-b984-421a-b4c6-f9c58d4fb221", + "modified": "2023-10-27T20:54:34.231041Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.232052Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "suid binaries in common locations.", + "event_id": "suid_bin", + "id": "x-mitre-sensor-mapping--147f4ff3-fdc5-42d4-8170-6af703bbb89c", + "modified": "2023-10-27T20:54:34.232052Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.234171Z", + "data_component": "Firewall Enumeration", + "data_source": "Firewall", + "description": "ALF services explicitly allowed to perform networking.", + "event_id": "alf_explicit_auths", + "id": "x-mitre-sensor-mapping--e1a361d2-6547-4701-a802-72c59988f7f0", + "modified": "2023-10-27T20:54:34.234171Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.235252Z", + "data_component": "Firewall Enumeration", + "data_source": "Firewall", + "description": "Linux IP packet filtering and NAT tool.", + "event_id": "iptables", + "id": "x-mitre-sensor-mapping--1a5d8ffd-5830-434b-8d22-c57b20707de5", + "modified": "2023-10-27T20:54:34.235252Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Firewall Rules", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.236259Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "OS X application layer firewall (ALF) service details.", + "event_id": "alf", + "id": "x-mitre-sensor-mapping--4b0f438b-12d0-41bc-aced-32f463e30ac6", + "modified": "2023-10-27T20:54:34.236259Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.2373Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "OS X application layer firewall (ALF) service exceptions", + "event_id": "alf_exceptions", + "id": "x-mitre-sensor-mapping--2fa0e59c-a5b3-4973-a66e-aeb168655608", + "modified": "2023-10-27T20:54:34.2373Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.239418Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "BIOS (DMI) structure common details and content.", + "event_id": "smbios_tables", + "id": "x-mitre-sensor-mapping--fab9ef34-959f-4a2d-8b90-78da4b2fdb2b", + "modified": "2023-10-27T20:54:34.239418Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Bios (Dmi) Structure", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.241332Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "Lists important information from the system bios.", + "event_id": "wmi_bios_info", + "id": "x-mitre-sensor-mapping--bf0c61cd-16c4-42c6-94ee-606d4fe0e3ee", + "modified": "2023-10-27T20:54:34.241332Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/Service", + "spec_version": "2.1", + "target": "Firmware", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.242341Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "OEM defined strings retrieved from SMBIOS.", + "event_id": "oem_strings", + "id": "x-mitre-sensor-mapping--a834a435-7217-4a10-a619-c9ed82c04def", + "modified": "2023-10-27T20:54:34.242341Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Firmware", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.243937Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "Information about EFI/UEFI/ROM and platform/boot.", + "event_id": "platform_info", + "id": "x-mitre-sensor-mapping--2f6d1fe4-6dc4-49ed-aa2d-7d66572a92d6", + "modified": "2023-10-27T20:54:34.243937Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Firmware", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.245494Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "PCI devices active on the host system.", + "event_id": "pci_devices", + "id": "x-mitre-sensor-mapping--8a62899d-55b4-4f8a-81d6-30beffc2d51f", + "modified": "2023-10-27T20:54:34.245494Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Firmware", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.246525Z", + "data_component": "Firmware Metadata", + "data_source": "Firmware", + "description": "Firmware ACPI functional table common metadata and content.", + "event_id": "acpi_tables", + "id": "x-mitre-sensor-mapping--23e89f62-9f51-42d8-a3c6-8015320b3e81", + "modified": "2023-10-27T20:54:34.246525Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Acpi Tables", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0001" + }, + { + "created": "2023-10-27T20:54:34.247517Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Local system groups.", + "event_id": "groups", + "id": "x-mitre-sensor-mapping--28505a71-b0ba-41a2-897d-c2f1b46f7736", + "modified": "2023-10-27T20:54:34.247517Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Groups", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.248542Z", + "data_component": "Group Metadata", + "data_source": "Group", + "description": "Local system user group relationships.", + "event_id": "user_groups", + "id": "x-mitre-sensor-mapping--4f6cf0f4-fb1d-4e55-83b6-9c2bf514f7a9", + "modified": "2023-10-27T20:54:34.248542Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.249548Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.", + "event_id": "hardware_events", + "id": "x-mitre-sensor-mapping--b10a6daa-f5e0-425e-93e4-263e539c6b17", + "modified": "2023-10-27T20:54:34.249548Z", + "relationship": "Inserted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.250575Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.", + "event_id": "hardware_events", + "id": "x-mitre-sensor-mapping--da0fe080-e091-488c-98c9-76684d271540", + "modified": "2023-10-27T20:54:34.250575Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.251577Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Hardware (PCI/USB/HID) events from UDEV or IOKit.", + "event_id": "hardware_events", + "id": "x-mitre-sensor-mapping--34765f3d-d411-46cc-92ad-2c38ae3a9ca2", + "modified": "2023-10-27T20:54:34.251577Z", + "relationship": "Removed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.252615Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Data associated with errors of a physical memory array.", + "event_id": "memory_error_info", + "id": "x-mitre-sensor-mapping--5419e457-53b5-4d50-831b-968365bd0b9a", + "modified": "2023-10-27T20:54:34.252615Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.253697Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "A summary about portage configurations like keywords, mask and unmask.", + "event_id": "portage_keywords", + "id": "x-mitre-sensor-mapping--a7884f0d-8ace-4342-96cd-f6851ce72039", + "modified": "2023-10-27T20:54:34.253697Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.254695Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "List of enabled portage USE values for specific package.", + "event_id": "portage_use", + "id": "x-mitre-sensor-mapping--6ffa38c6-1796-4ab1-8a9c-b7343523a891", + "modified": "2023-10-27T20:54:34.254695Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.256247Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The installed DEB package database.", + "event_id": "deb_packages", + "id": "x-mitre-sensor-mapping--1438049f-998e-4474-abbb-e43c23ee66d3", + "modified": "2023-10-27T20:54:34.256247Z", + "relationship": "Read", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.258252Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Lists all npm packages in a directory or globally installed in a system.", + "event_id": "npm_packages", + "id": "x-mitre-sensor-mapping--ecf24101-972c-43e2-baed-ec76cccea089", + "modified": "2023-10-27T20:54:34.258252Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.26024Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "List of currently installed packages.", + "event_id": "portage_packages", + "id": "x-mitre-sensor-mapping--be36f076-b1a3-40ec-bd14-a6dff0cfaf06", + "modified": "2023-10-27T20:54:34.26024Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.261242Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.", + "event_id": "programs", + "id": "x-mitre-sensor-mapping--86999150-0d69-4117-ad92-4a157fa72064", + "modified": "2023-10-27T20:54:34.261242Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Registry Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.262246Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Python packages installed in a system.", + "event_id": "python_packages", + "id": "x-mitre-sensor-mapping--f3897ca2-4253-4a61-a1ba-4bcfa6f886d2", + "modified": "2023-10-27T20:54:34.262246Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Script Installer", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.26385Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "RPM packages that are currently installed on the host system.", + "event_id": "rpm_package_files", + "id": "x-mitre-sensor-mapping--43455ddb-e212-47cd-a100-6abba9eb170b", + "modified": "2023-10-27T20:54:34.26385Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.265394Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "RPM packages that are currently installed on the host system.", + "event_id": "rpm_packages", + "id": "x-mitre-sensor-mapping--13f79664-cc7f-4430-9c61-7790072e0834", + "modified": "2023-10-27T20:54:34.265394Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.266444Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Current list of APT repositories or software channels.", + "event_id": "apt_sources", + "id": "x-mitre-sensor-mapping--af2cefe0-d703-467f-9423-f2ee64339c54", + "modified": "2023-10-27T20:54:34.266444Z", + "relationship": "Read", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.267448Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Track SELinux events.", + "event_id": "selinux_events", + "id": "x-mitre-sensor-mapping--ccb2bfd6-3161-4516-a70a-980098a3211e", + "modified": "2023-10-27T20:54:34.267448Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.268468Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Track active SELinux settings.", + "event_id": "selinux_settings", + "id": "x-mitre-sensor-mapping--dfc62099-1b1e-4ab1-a275-a71efc773456", + "modified": "2023-10-27T20:54:34.268468Z", + "relationship": "Read", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.269485Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "OS X application schemes and handlers (e.g., http, file, mailto).", + "event_id": "app_schemes", + "id": "x-mitre-sensor-mapping--2ee0d5eb-c8d2-4151-9711-012bd1b1db39", + "modified": "2023-10-27T20:54:34.269485Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status (Configuration)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.27056Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Lists all the patches applied. Note: This does not include patches applied via MSI or downloaded from Windows Update (e.g. Service Packs).", + "event_id": "patches", + "id": "x-mitre-sensor-mapping--c6cee60d-7c79-406a-baa3-4c215b738ba4", + "modified": "2023-10-27T20:54:34.27056Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.271508Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Lists named Windows objects in the default object directories, across all terminal services sessions. Example Windows ojbect types include Mutexes, Events, Jobs and Semaphors.", + "event_id": "winbaseobj", + "id": "x-mitre-sensor-mapping--5acc1228-05dc-4591-b93f-41c3080afbf0", + "modified": "2023-10-27T20:54:34.271508Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.274146Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "System information for identification.", + "event_id": "system_info", + "id": "x-mitre-sensor-mapping--df088393-5afc-46b0-a21e-cb7ea5a519f7", + "modified": "2023-10-27T20:54:34.274146Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.275675Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Provides information about the internal battery of a Macbook.", + "event_id": "battery", + "id": "x-mitre-sensor-mapping--18b03594-5f55-4d94-a95f-04393f566109", + "modified": "2023-10-27T20:54:34.275675Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.276721Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Block (buffered access) device file nodes: disks, ramdisks, and DMG containers.", + "event_id": "block_devices", + "id": "x-mitre-sensor-mapping--7e9bca5a-2a01-45e5-8724-2f21d57d61dc", + "modified": "2023-10-27T20:54:34.276721Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.277728Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Display information pertaining to the chassis and its security status.", + "event_id": "chassis_info", + "id": "x-mitre-sensor-mapping--e69e790a-5a2c-4f01-a926-8c89c42749db", + "modified": "2023-10-27T20:54:34.277728Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.278735Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Useful CPU features from the cpuid ASM call.", + "event_id": "cpuid", + "id": "x-mitre-sensor-mapping--06e556d4-c1fc-4fd3-9bfe-95394242aa9a", + "modified": "2023-10-27T20:54:34.278735Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.27975Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Info about the CPU running on the machine.", + "event_id": "cpu_info", + "id": "x-mitre-sensor-mapping--c9a5bb37-3442-4f3d-8851-5cbc8486775d", + "modified": "2023-10-27T20:54:34.27975Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.280772Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.", + "event_id": "cpu_time", + "id": "x-mitre-sensor-mapping--0b28ad3e-1f21-456f-ac2d-5da11e96e06e", + "modified": "2023-10-27T20:54:34.280772Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.281789Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Extracted information from Windows crash logs (Minidumps).", + "event_id": "windows_crashes", + "id": "x-mitre-sensor-mapping--d59c35bb-70e0-4269-83bf-7826e1f9cf49", + "modified": "2023-10-27T20:54:34.281789Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.283367Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Application, System, and Mobile App crash logs.", + "event_id": "crashes", + "id": "x-mitre-sensor-mapping--806a2841-8ca8-4e45-8b3b-b6591cb7a6e1", + "modified": "2023-10-27T20:54:34.283367Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.283927Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Default environment variables and values.", + "event_id": "default_environment", + "id": "x-mitre-sensor-mapping--aeaec996-60f5-4ceb-b36c-5447094757f5", + "modified": "2023-10-27T20:54:34.283927Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.284925Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "OS X defaults and managed preferences.", + "event_id": "preferences", + "id": "x-mitre-sensor-mapping--86aadc40-2a49-4aa2-bbbd-b507c23b4eae", + "modified": "2023-10-27T20:54:34.284925Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Osx Preferences", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.28696Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "A best-effort list of discovered firmware versions.", + "event_id": "device_firmware", + "id": "x-mitre-sensor-mapping--032e178c-5cf7-4a7f-b596-f43e8470228a", + "modified": "2023-10-27T20:54:34.28696Z", + "relationship": "Read", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.288954Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Queries the Apple System Log data structure for system events", + "event_id": "asl", + "id": "x-mitre-sensor-mapping--f11e9878-7c72-419a-a446-7933f3ae1f4d", + "modified": "2023-10-27T20:54:34.288954Z", + "relationship": "Modified", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Log", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.289954Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Returns information about installed event taps.", + "event_id": "event_taps", + "id": "x-mitre-sensor-mapping--29ba1692-d99c-45f0-95fc-7ee75fd1be87", + "modified": "2023-10-27T20:54:34.289954Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.290955Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Fan speeds.", + "event_id": "fan_speed_sensors", + "id": "x-mitre-sensor-mapping--92845954-17d9-4e18-9392-87f396645060", + "modified": "2023-10-27T20:54:34.290955Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.291953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Retrieve video card information of the machine.", + "event_id": "video_info", + "id": "x-mitre-sensor-mapping--a837af14-286d-4525-8bdc-81947bbff5a2", + "modified": "2023-10-27T20:54:34.291953Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.292953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Retrieve HVCI info of the machine.", + "event_id": "hvci_status", + "id": "x-mitre-sensor-mapping--3d91258f-9dfb-499a-9978-4eeb3837bafc", + "modified": "2023-10-27T20:54:34.292953Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status (Configuration)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.293954Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Information about the Apple iBridge hardware controller.", + "event_id": "ibridge_info", + "id": "x-mitre-sensor-mapping--38de6bff-4b1e-47e1-80f4-5c6c0c84a697", + "modified": "2023-10-27T20:54:34.293954Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.294953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Lists names and installation states of windows features. Maps to Win32_OptionalFeature WMI class.", + "event_id": "windows_optional_features", + "id": "x-mitre-sensor-mapping--4aaeba74-78cd-4ebc-8bdb-810d4a8ffac3", + "modified": "2023-10-27T20:54:34.294953Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Windows Features", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.295953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "OS X applications installed in known search paths (e.g., /Applications)", + "event_id": "apps", + "id": "x-mitre-sensor-mapping--abc2c400-e10d-4b4e-a299-9b5934551204", + "modified": "2023-10-27T20:54:34.295953Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Osx Applications", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.297952Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Apple's System Integrity Protection (rootless) status.", + "event_id": "sip_config", + "id": "x-mitre-sensor-mapping--45c8c6d6-90e9-4c0c-bac0-4da264573853", + "modified": "2023-10-27T20:54:34.297952Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "System Integrity Protection", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.298953Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Intel ME/CSE Info.", + "event_id": "intel_me_info", + "id": "x-mitre-sensor-mapping--a4968c07-cb08-4c45-a3ae-7d5587162e8f", + "modified": "2023-10-27T20:54:34.298953Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.299952Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "System kernel panic logs.", + "event_id": "kernel_panics", + "id": "x-mitre-sensor-mapping--40cbeb3c-fa3c-418e-b2b0-02b02f0e3fba", + "modified": "2023-10-27T20:54:34.299952Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status (System Crash Data)", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.300952Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "sysctl names, values, and settings information.", + "event_id": "system_controls", + "id": "x-mitre-sensor-mapping--a6de5ffa-1ad8-4aa7-96f0-18df2c0b5e94", + "modified": "2023-10-27T20:54:34.300952Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.301952Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Applications that have ACL entries in the keychain.", + "event_id": "keychain_acls", + "id": "x-mitre-sensor-mapping--b65992e0-3e6b-42cb-8234-3c1a25aab8c8", + "modified": "2023-10-27T20:54:34.301952Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.303695Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Generic details about keychain items.", + "event_id": "keychain_items", + "id": "x-mitre-sensor-mapping--270f2b0f-25fd-4119-8ef5-8d18d3e8ec9f", + "modified": "2023-10-27T20:54:34.303695Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.305364Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Main memory information in bytes.", + "event_id": "memory_info", + "id": "x-mitre-sensor-mapping--cb2e3d29-d4a0-4005-935e-0df1419a26be", + "modified": "2023-10-27T20:54:34.305364Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.306421Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "OS memory region map.", + "event_id": "memory_map", + "id": "x-mitre-sensor-mapping--9a80362e-c18c-43c2-bc74-1a324d526804", + "modified": "2023-10-27T20:54:34.306421Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.307415Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Booleans about Windows network connectivity.", + "event_id": "connectivity", + "id": "x-mitre-sensor-mapping--6b6913e4-2a4d-4981-a7ca-97d56ed3476d", + "modified": "2023-10-27T20:54:34.307415Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.308403Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Display basic NT domain information of a Windows machine.", + "event_id": "ntdomains", + "id": "x-mitre-sensor-mapping--5bab44a3-8482-4e86-966c-eca1317d1a49", + "modified": "2023-10-27T20:54:34.308403Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.309474Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "A single row containing the operating system name and version.", + "event_id": "os_version", + "id": "x-mitre-sensor-mapping--c2e11f7a-cbf8-4563-8863-52cae38ac134", + "modified": "2023-10-27T20:54:34.309474Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.312529Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Returns all completed print jobs from cups.", + "event_id": "cups_jobs", + "id": "x-mitre-sensor-mapping--2b8f4073-a40b-4266-beae-fdd02e71b41b", + "modified": "2023-10-27T20:54:34.312529Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Printer Jobs", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.313533Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Returns all configured printers.", + "event_id": "cups_destinations", + "id": "x-mitre-sensor-mapping--ca3d4138-4d63-40a5-abbd-222ef91a84ee", + "modified": "2023-10-27T20:54:34.313533Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Printer Info", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.315671Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Enumeration of registered Windows security products.", + "event_id": "windows_security_products", + "id": "x-mitre-sensor-mapping--df263631-baaf-4e88-9e23-89f11c80344b", + "modified": "2023-10-27T20:54:34.315671Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Windows Security Products", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.316694Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "System resource usage limits.", + "event_id": "ulimit_info", + "id": "x-mitre-sensor-mapping--652c8b37-f04b-4b70-afdf-11adb631806d", + "modified": "2023-10-27T20:54:34.316694Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.317773Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Track AppArmor (security auditing) events.", + "event_id": "apparmor_events", + "id": "x-mitre-sensor-mapping--9e250d4a-237a-45c7-946a-8171d650f2be", + "modified": "2023-10-27T20:54:34.317773Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.31928Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Track active AppArmor profiles.", + "event_id": "apparmor_profiles", + "id": "x-mitre-sensor-mapping--e48b0c8e-6ec1-456f-8592-ddea702508f2", + "modified": "2023-10-27T20:54:34.31928Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.320294Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The health status of Window Security features. Health values can be \"Good\", \"Poor\". \"Snoozed\", \"Not Monitored\", and \"Error\".", + "event_id": "windows_security_center", + "id": "x-mitre-sensor-mapping--dfbb6200-c024-458d-b40e-1c43cf763eab", + "modified": "2023-10-27T20:54:34.320294Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.321362Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device.", + "event_id": "shared_resources", + "id": "x-mitre-sensor-mapping--03e11a47-1137-45b4-b846-6b3c86231506", + "modified": "2023-10-27T20:54:34.321362Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Shared Resources", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.322361Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Rules for running commands as other users via sudo.", + "event_id": "sudoers", + "id": "x-mitre-sensor-mapping--b995d606-6bd4-4079-a7df-f50a23e746e7", + "modified": "2023-10-27T20:54:34.322361Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.323362Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Linux syslog events.", + "event_id": "syslog_events", + "id": "x-mitre-sensor-mapping--437edace-c374-4b06-a3a9-9f13c473fe4b", + "modified": "2023-10-27T20:54:34.323362Z", + "relationship": "Updated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.325586Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Database of the machine's XProtect browser-related signatures.", + "event_id": "xprotect_meta", + "id": "x-mitre-sensor-mapping--8c587ea9-6f12-4685-b906-4810c5c2cdd3", + "modified": "2023-10-27T20:54:34.325586Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.327046Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Database of the machine's XProtect signatures.", + "event_id": "xprotect_entries", + "id": "x-mitre-sensor-mapping--6c5a2d42-22a6-4b85-9c99-326e8f0c7ec8", + "modified": "2023-10-27T20:54:34.327046Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.328569Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Database of XProtect matches (if user generated/sent an XProtect report).", + "event_id": "xprotect_reports", + "id": "x-mitre-sensor-mapping--d7e56be6-10ca-4a69-bc3d-e84f52df5b10", + "modified": "2023-10-27T20:54:34.328569Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Host Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.329569Z", + "data_component": "Image Metadata", + "data_source": "Image", + "description": "OS X application sandboxes container details.", + "event_id": "sandboxes", + "id": "x-mitre-sensor-mapping--75b319ec-948c-4259-925c-bad184b363da", + "modified": "2023-10-27T20:54:34.329569Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Image", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0007" + }, + { + "created": "2023-10-27T20:54:34.331569Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Data associated for address mapping of physical memory arrays.", + "event_id": "memory_array_mapped_addresses", + "id": "x-mitre-sensor-mapping--2111462a-c678-4e79-afbe-74b730cda96e", + "modified": "2023-10-27T20:54:34.331569Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.333584Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Data associated for address mapping of physical memory devices.", + "event_id": "memory_device_mapped_addresses", + "id": "x-mitre-sensor-mapping--e376a57d-9ff2-4a9e-8d0f-82afc586d7b9", + "modified": "2023-10-27T20:54:34.333584Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.334623Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Data associated with collection of memory devices that operate to form a memory address.", + "event_id": "memory_arrays", + "id": "x-mitre-sensor-mapping--1a4238b6-26f8-425f-9a24-8b145d0d105a", + "modified": "2023-10-27T20:54:34.334623Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.335683Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Physical memory device (type 17) information retrieved from SMBIOS.", + "event_id": "memory_devices", + "id": "x-mitre-sensor-mapping--6031d79b-55bd-4665-a068-ab3f338fc5fd", + "modified": "2023-10-27T20:54:34.335683Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.33668Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "OS shared memory regions.", + "event_id": "shared_memory", + "id": "x-mitre-sensor-mapping--dac085fb-6d2d-4ce6-9c15-bb9812db5e61", + "modified": "2023-10-27T20:54:34.33668Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.337675Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Darwin Virtual Memory statistics.", + "event_id": "virtual_memory_info", + "id": "x-mitre-sensor-mapping--5a495ae8-7c47-493b-b171-1b3d42278f51", + "modified": "2023-10-27T20:54:34.337675Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.339673Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "OS X's kernel extensions, both loaded and within the load search path.", + "event_id": "kernel_extensions", + "id": "x-mitre-sensor-mapping--cde1a64d-5ae1-4700-a702-db0b7ec249b6", + "modified": "2023-10-27T20:54:34.339673Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kernel Module", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.340669Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Basic active kernel information.", + "event_id": "kernel_info", + "id": "x-mitre-sensor-mapping--ff146701-7844-4a77-8ad0-af9b1494b2d7", + "modified": "2023-10-27T20:54:34.340669Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kernel", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.342672Z", + "data_component": "Kernel Metadata", + "data_source": "Kernel", + "description": "Display kernel virtual address and speculative execution information for the system.", + "event_id": "kva_speculative_info", + "id": "x-mitre-sensor-mapping--ac974919-8681-49f1-8f03-fc1373e574ba", + "modified": "2023-10-27T20:54:34.342672Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Kernel Virtual Address", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.344673Z", + "data_component": "Kernel Module Load", + "data_source": "Kernel", + "description": "OS X Authorization mechanisms database.", + "event_id": "authorization_mechanisms", + "id": "x-mitre-sensor-mapping--d883c58f-4e8c-4f86-a7d8-255c0fd7cfd7", + "modified": "2023-10-27T20:54:34.344673Z", + "relationship": "Loaded", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kernel Module", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.345757Z", + "data_component": "Kernel Module Load", + "data_source": "Kernel", + "description": "Loaded FreeBSD kernel modules.", + "event_id": "fbsd_kmods", + "id": "x-mitre-sensor-mapping--816da180-4a74-45e1-88b8-25695757cb6a", + "modified": "2023-10-27T20:54:34.345757Z", + "relationship": "Loaded", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Kernel Module", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.346751Z", + "data_component": "Kernel Module Load", + "data_source": "Kernel", + "description": "Linux kernel modules both loaded and within the load search path.", + "event_id": "kernel_modules", + "id": "x-mitre-sensor-mapping--ae5277e5-17d5-4bdb-99d3-3f6533c1af3c", + "modified": "2023-10-27T20:54:34.346751Z", + "relationship": "Loaded", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Kernel Modules", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0008" + }, + { + "created": "2023-10-27T20:54:34.34775Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Users with an active shell on the system.", + "event_id": "logged_in_users", + "id": "x-mitre-sensor-mapping--148906b2-6328-43c0-b52d-d804ef760656", + "modified": "2023-10-27T20:54:34.34775Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Logon Session Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.348761Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "System logins and logouts.", + "event_id": "last", + "id": "x-mitre-sensor-mapping--2f01133d-ac36-4adc-a8c1-d4be25cef5a1", + "modified": "2023-10-27T20:54:34.348761Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Logon Session Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.349744Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "Windows Logon Session.", + "event_id": "logon_sessions", + "id": "x-mitre-sensor-mapping--1bcb2a4f-4d31-44c6-9f27-810d977b5620", + "modified": "2023-10-27T20:54:34.349744Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Logon Session Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.351751Z", + "data_component": "Named Pipe Enumeration", + "data_source": "Named Pipe", + "description": "Named and Anonymous pipes.", + "event_id": "pipes", + "id": "x-mitre-sensor-mapping--9770c533-68ec-4477-b56b-5194f9c5b3aa", + "modified": "2023-10-27T20:54:34.351751Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Named Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.352744Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "System mounted devices and filesystems (not process specific).", + "event_id": "mounts", + "id": "x-mitre-sensor-mapping--0b2056ef-de3c-4e1d-b450-6b33adca37c0", + "modified": "2023-10-27T20:54:34.352744Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.354693Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "Folders available to others via SMB or AFP.", + "event_id": "shared_folders", + "id": "x-mitre-sensor-mapping--a81ed573-00c8-4d06-b0f5-a107bcdf94fc", + "modified": "2023-10-27T20:54:34.354693Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.355693Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "NFS shares exported by the host.", + "event_id": "nfs_shares", + "id": "x-mitre-sensor-mapping--860645bb-da5e-4c74-b6b2-4262cfedca18", + "modified": "2023-10-27T20:54:34.355693Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.356762Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "OS X Sharing preferences.", + "event_id": "sharing_preferences", + "id": "x-mitre-sensor-mapping--21380588-6392-4b9f-9838-11065cf5dbcf", + "modified": "2023-10-27T20:54:34.356762Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.359765Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Address resolution cache, both static and dynamic (from ARP, NDP)", + "event_id": "arp_cache", + "id": "x-mitre-sensor-mapping--4ea3f298-ce1e-404d-a34b-20fdba174606", + "modified": "2023-10-27T20:54:34.359765Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Arp Cache", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.361769Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Enumerate the DNS cache using the undocumented DnsGetCacheDataTable function in dnsapi.dll.", + "event_id": "dns_cache", + "id": "x-mitre-sensor-mapping--62dd2bca-ce3e-47de-a888-36f6f5c22308", + "modified": "2023-10-27T20:54:34.361769Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Dns Cache", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.363684Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Resolvers used by this host.", + "event_id": "dns_resolvers", + "id": "x-mitre-sensor-mapping--b6d3e3e0-5dc7-4116-b6d9-77cd4b4fe7ee", + "modified": "2023-10-27T20:54:34.363684Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Dns Resolvers", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.364806Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "LLDP neighbors of interfaces.", + "event_id": "lldp_neighbors", + "id": "x-mitre-sensor-mapping--d4082d38-d2a1-4f82-8e03-eb34ba744a83", + "modified": "2023-10-27T20:54:34.364806Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Lldp Neighbor", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.365833Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Line-parsed /etc/protocols.", + "event_id": "etc_protocols", + "id": "x-mitre-sensor-mapping--0b0949b2-aa5a-4186-bcbc-f287d015dde8", + "modified": "2023-10-27T20:54:34.365833Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Protocols", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.366774Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Line-parsed /etc/hosts.", + "event_id": "etc_hosts", + "id": "x-mitre-sensor-mapping--25669419-0729-4040-838d-1a26cf81e609", + "modified": "2023-10-27T20:54:34.366774Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Hosts", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.367849Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Line-parsed /etc/services.", + "event_id": "etc_services", + "id": "x-mitre-sensor-mapping--4032577f-3050-47e4-949d-5dd276105118", + "modified": "2023-10-27T20:54:34.367849Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Services", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.369855Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "The active route table for the host system.", + "event_id": "routes", + "id": "x-mitre-sensor-mapping--27157ac3-41d9-4396-b4bd-6068a889466c", + "modified": "2023-10-27T20:54:34.369855Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Routes", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.371116Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Detailed information and stats of network interfaces.", + "event_id": "interface_details", + "id": "x-mitre-sensor-mapping--dd7f92d4-04a7-4641-9373-a35880f1d10b", + "modified": "2023-10-27T20:54:34.371116Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Network Interfaces", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.371849Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Network interfaces and relevant metadata.", + "event_id": "interfaces", + "id": "x-mitre-sensor-mapping--080d2aaa-ed14-49e1-89e5-d46be3672118", + "modified": "2023-10-27T20:54:34.371849Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Network Interfaces", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.372768Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "IPv6 configuration and stats of network interfaces.", + "event_id": "interface_ipv6", + "id": "x-mitre-sensor-mapping--8fe4cc54-250e-4b7b-a01e-0866799a4c94", + "modified": "2023-10-27T20:54:34.372768Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Ipv6 Configuration", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.374917Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "OS X current WiFi status.", + "event_id": "wifi_status", + "id": "x-mitre-sensor-mapping--179dfa84-3304-4dbd-8f6d-59b4bf6ca735", + "modified": "2023-10-27T20:54:34.374917Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Wifi Status", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.375972Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "Processes with listening (bound) network sockets/ports.", + "event_id": "listening_ports", + "id": "x-mitre-sensor-mapping--59cbfe21-1873-47ab-b5c4-c566de9f96fc", + "modified": "2023-10-27T20:54:34.375972Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Listening Ports", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.377027Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "A table of parsed ssh_configs.", + "event_id": "ssh_configs", + "id": "x-mitre-sensor-mapping--173fdd4b-a54c-433d-9ca0-7e50fee060e9", + "modified": "2023-10-27T20:54:34.377027Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Ssh Configs", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.379041Z", + "data_component": "Network Status", + "data_source": "Sensor Health", + "description": "A line-delimited known_hosts table.", + "event_id": "known_hosts", + "id": "x-mitre-sensor-mapping--7850b5fd-5b7d-43eb-9e54-81f34572a539", + "modified": "2023-10-27T20:54:34.379041Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Hosts", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.380112Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Track network socket opens and closes.", + "event_id": "socket_events", + "id": "x-mitre-sensor-mapping--758d4e5d-d0c9-47c9-aa68-77813ca73d4d", + "modified": "2023-10-27T20:54:34.380112Z", + "relationship": "Created", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Socket", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.381381Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Track network socket opens and closes.", + "event_id": "socket_events", + "id": "x-mitre-sensor-mapping--9371b5c3-6c52-4df3-b8d8-8639af867c52", + "modified": "2023-10-27T20:54:34.381381Z", + "relationship": "Deleted", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Socket", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.382452Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Track network socket opens and closes.", + "event_id": "socket_events", + "id": "x-mitre-sensor-mapping--7a8e7920-8804-482c-be04-78b265dadc91", + "modified": "2023-10-27T20:54:34.382452Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Socket", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.384139Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "macOS applications currently running on the host system.", + "event_id": "running_apps", + "id": "x-mitre-sensor-mapping--fb9f3880-323f-46e9-bdd7-f1c2cef902fc", + "modified": "2023-10-27T20:54:34.384139Z", + "relationship": "Executed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.38676Z", + "data_component": "Process Enumeration", + "data_source": "Process", + "description": "All running processes on the host system.", + "event_id": "processes", + "id": "x-mitre-sensor-mapping--f7addd5f-c618-41a3-a06d-28ae37302f63", + "modified": "2023-10-27T20:54:34.38676Z", + "relationship": "Enumerated", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.388874Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Track time/action process executions.", + "event_id": "process_events", + "id": "x-mitre-sensor-mapping--94ac5023-cb52-4b9e-8880-705d77297504", + "modified": "2023-10-27T20:54:34.388874Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.389961Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "A key/value table of environment variables for each process.", + "event_id": "process_envs", + "id": "x-mitre-sensor-mapping--e25fa79c-5d2b-49b9-a0f3-d1c38818b9bc", + "modified": "2023-10-27T20:54:34.389961Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.391361Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Process memory mapped files and pseudo device/regions.", + "event_id": "process_memory_map", + "id": "x-mitre-sensor-mapping--f592a986-1c50-4e87-b290-ace0fc30b000", + "modified": "2023-10-27T20:54:34.391361Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.392453Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Linux namespaces for processes running on the host system.", + "event_id": "process_namespaces", + "id": "x-mitre-sensor-mapping--4be108af-ba31-450b-a825-1808d8383a02", + "modified": "2023-10-27T20:54:34.392453Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.395659Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "File descriptors for each process.", + "event_id": "process_open_files", + "id": "x-mitre-sensor-mapping--b0afb8e4-2f88-45a6-8ecd-a6fb9026fc2d", + "modified": "2023-10-27T20:54:34.395659Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.397863Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Pipes and partner processes for each process.", + "event_id": "process_open_pipes", + "id": "x-mitre-sensor-mapping--93c9edbd-a153-47a3-9488-ec00adb86408", + "modified": "2023-10-27T20:54:34.397863Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.398881Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Processes which have open network sockets on the system.", + "event_id": "process_open_sockets", + "id": "x-mitre-sensor-mapping--fee82275-2487-484e-aa35-5111c73feee2", + "modified": "2023-10-27T20:54:34.398881Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process Metadata", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.399986Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "Background Activities Moderator (BAM) tracks application execution.", + "event_id": "background_activities_moderator", + "id": "x-mitre-sensor-mapping--687e1829-a8dc-4e54-a0c0-1698027f47d1", + "modified": "2023-10-27T20:54:34.399986Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.401003Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "OS X package receipt details.", + "event_id": "package_receipts", + "id": "x-mitre-sensor-mapping--c8f27c02-910a-4597-9b95-aa402a1c0de7", + "modified": "2023-10-27T20:54:34.401003Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.403468Z", + "data_component": "Scheduled Job Metadata", + "data_source": "Scheduled Job", + "description": "Line parsed values from system and user cron/tab.", + "event_id": "crontab", + "id": "x-mitre-sensor-mapping--b205f9f7-75c5-4cbc-9d71-fba3d7c89c85", + "modified": "2023-10-27T20:54:34.403468Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Cron/Tab", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.404717Z", + "data_component": "Scheduled Job Metadata", + "data_source": "Scheduled Job", + "description": "LaunchAgents and LaunchDaemons from default search paths.", + "event_id": "launchd", + "id": "x-mitre-sensor-mapping--3b15ac88-a1f8-4eb3-99b7-846497e9e2a2", + "modified": "2023-10-27T20:54:34.404717Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Launchd", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.4058Z", + "data_component": "Scheduled Job Metadata", + "data_source": "Scheduled Job", + "description": "Override keys, per user, for LaunchDaemons and Agents.", + "event_id": "launchd_overrides", + "id": "x-mitre-sensor-mapping--3c985d7c-24ff-448c-8f66-9f32d275b1fe", + "modified": "2023-10-27T20:54:34.4058Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Launchd", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.407826Z", + "data_component": "Scheduled Task Enumeration", + "data_source": "Scheduled Task", + "description": "Lists all of the tasks in the Windows task scheduler.", + "event_id": "scheduled_tasks", + "id": "x-mitre-sensor-mapping--fc159f5a-3151-4a40-9eba-518ab1cd5c17", + "modified": "2023-10-27T20:54:34.407826Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Scheduled Tasks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:34.411109Z", + "data_component": "Script Execution", + "data_source": "Script", + "description": "Powershell script blocks reconstructed to their full script content, this table requires script block logging to be enabled.", + "event_id": "powershell_events", + "id": "x-mitre-sensor-mapping--59a64c07-8840-4839-bf8a-aa974b53ad49", + "modified": "2023-10-27T20:54:34.411109Z", + "relationship": "Recorded", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Script Execution", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0012" + }, + { + "created": "2023-10-27T20:54:34.413143Z", + "data_component": "Service Enumeration", + "data_source": "Service", + "description": "Lists all installed Windows services and their relevant data.", + "event_id": "services", + "id": "x-mitre-sensor-mapping--c72d5f76-105d-4d9a-bedb-bf5883d63848", + "modified": "2023-10-27T20:54:34.413143Z", + "relationship": "Read", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Services", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.414183Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Gatekeeper apps a user has allowed to run.", + "event_id": "gatekeeper_apps", + "id": "x-mitre-sensor-mapping--8455741c-b037-44c7-8e4e-a277d461e8ca", + "modified": "2023-10-27T20:54:34.414183Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Gatekeeper", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.416222Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "OS X Gatekeeper Details.", + "event_id": "gatekeeper", + "id": "x-mitre-sensor-mapping--ec205b11-59ff-4dfe-822a-a34ff1312056", + "modified": "2023-10-27T20:54:34.416222Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Gatekeeper", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.418226Z", + "data_component": "System Settings", + "data_source": "User Interface", + "description": "macOS screenlock status for the current logged in user context.", + "event_id": "screenlock", + "id": "x-mitre-sensor-mapping--bdce6757-1935-4a87-a846-efb1cb736e9f", + "modified": "2023-10-27T20:54:34.418226Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "System Settings", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "-1" + }, + { + "created": "2023-10-27T20:54:34.419233Z", + "data_component": "User Account Access", + "data_source": "User Account", + "description": "Local user accounts (including domain accounts that have logged on locally (Windows)).", + "event_id": "users", + "id": "x-mitre-sensor-mapping--3f03f91f-0a0f-4a34-a981-5d7d8b8db920", + "modified": "2023-10-27T20:54:34.419233Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "Users", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.421263Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "Track user events from the audit framework.", + "event_id": "user_events", + "id": "x-mitre-sensor-mapping--b2ff00ac-d066-4ce7-8528-e33841cb7ca0", + "modified": "2023-10-27T20:54:34.421263Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Authentication", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.42229Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "A line-delimited authorized_keys table", + "event_id": "authorized_keys", + "id": "x-mitre-sensor-mapping--11746483-f6d0-49dc-9b4a-07f194b80f6a", + "modified": "2023-10-27T20:54:34.42229Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account Keys", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.423297Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "OS X Authorization rights database.", + "event_id": "authorizations", + "id": "x-mitre-sensor-mapping--0f4a7109-d243-4b4b-a4e0-8ff097ad8bc3", + "modified": "2023-10-27T20:54:34.423297Z", + "relationship": "Authorizes", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.426798Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Additional OS X user account data from the AccountPolicy section of OpenDirectory.", + "event_id": "account_policy_data", + "id": "x-mitre-sensor-mapping--02c09e65-2fe3-4b65-bbdf-88ab9dd37e1c", + "modified": "2023-10-27T20:54:34.426798Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "User Account Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.427942Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Local system users encrypted passwords and related information. Please note, that you usually need superuser rights to access `/etc/shadow`.", + "event_id": "shadow", + "id": "x-mitre-sensor-mapping--b9fa8afc-3248-439c-a944-f6a41ace142f", + "modified": "2023-10-27T20:54:34.427942Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "User Account Password", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.428926Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted.", + "event_id": "user_ssh_keys", + "id": "x-mitre-sensor-mapping--d8871ace-f68d-4e15-8668-2b7465456543", + "modified": "2023-10-27T20:54:34.428926Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "User Account Private Keys", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.431115Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format. See http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf for more details.", + "event_id": "appcompat_shims", + "id": "x-mitre-sensor-mapping--d495bd8e-5039-4f70-9038-a51bfa9716cf", + "modified": "2023-10-27T20:54:34.431115Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.432209Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "All of the Windows registry hives.", + "event_id": "registry", + "id": "x-mitre-sensor-mapping--796e8a42-6073-4119-8983-f51ecfd769c9", + "modified": "2023-10-27T20:54:34.432209Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process", + "spec_version": "2.1", + "target": "Registry Key", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.434318Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "UserAssist Registry Key tracks when a user executes an application from Windows Explorer.", + "event_id": "userassist", + "id": "x-mitre-sensor-mapping--d9c07ea2-8957-4d5c-a1f6-de6edbc63f9b", + "modified": "2023-10-27T20:54:34.434318Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "User Assist", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.435309Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.", + "event_id": "autoexec", + "id": "x-mitre-sensor-mapping--37f20dcf-0538-4ab4-a7b3-6eecad1fb401", + "modified": "2023-10-27T20:54:34.435309Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.436351Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "Applications and binaries set as user/login startup items.", + "event_id": "startup_items", + "id": "x-mitre-sensor-mapping--6a84d836-3a37-47b7-8b53-fe82f221ab62", + "modified": "2023-10-27T20:54:34.436351Z", + "relationship": "Accessed", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Registry Keys", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.438487Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI CommandLineEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.", + "event_id": "wmi_cli_event_consumers", + "id": "x-mitre-sensor-mapping--f011ad18-a624-460e-b2f6-dd310538d382", + "modified": "2023-10-27T20:54:34.438487Z", + "relationship": "Accessed", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "WMI", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.439507Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details.", + "event_id": "wmi_script_event_consumers", + "id": "x-mitre-sensor-mapping--feb6947b-53f4-4c2f-8556-65c5dd11fed2", + "modified": "2023-10-27T20:54:34.439507Z", + "relationship": "Modified", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "WMI", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.442834Z", + "data_component": "WMI Enumeration", + "data_source": "WMI", + "description": "Lists the relationship between event consumers and filters.", + "event_id": "wmi_filter_consumer_binding", + "id": "x-mitre-sensor-mapping--2dc85e75-be65-4f1c-83c8-0f93bdcfdeac", + "modified": "2023-10-27T20:54:34.442834Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "WMI", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.444906Z", + "data_component": "WMI Enumeration", + "data_source": "WMI", + "description": "Lists WMI event filters.", + "event_id": "wmi_event_filters", + "id": "x-mitre-sensor-mapping--75f71788-939e-4ee4-b379-2ed47713f835", + "modified": "2023-10-27T20:54:34.444906Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User/Process/Service", + "spec_version": "2.1", + "target": "WMI Event Filter", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.463112Z", + "data_component": "Driver Load", + "data_source": "Driver", + "description": "Driver loaded", + "event_id": "", + "id": "x-mitre-sensor-mapping--56912b21-b291-4496-ac50-6072bca43e7a", + "modified": "2023-10-27T20:54:34.463112Z", + "relationship": "Loaded", + "revoked": false, + "source": "Driver", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.464157Z", + "data_component": "File Access", + "data_source": "File", + "description": "The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\\ denotation", + "event_id": "", + "id": "x-mitre-sensor-mapping--b31163b5-8f84-4e3f-a230-295d340ce037", + "modified": "2023-10-27T20:54:34.464157Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.464676Z", + "data_component": "File Creation", + "data_source": "File", + "description": "FileCreate", + "event_id": "", + "id": "x-mitre-sensor-mapping--6d66f790-b3f9-49d8-b7c9-9bba9b36af89", + "modified": "2023-10-27T20:54:34.464676Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.465669Z", + "data_component": "File Creation", + "data_source": "File", + "description": "FileCreateStreamHash", + "event_id": "", + "id": "x-mitre-sensor-mapping--be1cc0f0-fe29-4c5e-abf0-5f4c6f2ac682", + "modified": "2023-10-27T20:54:34.465669Z", + "relationship": "Created", + "revoked": false, + "source": "File", + "spec_version": "2.1", + "target": "File Stream Hash", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.466791Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "FileDelete", + "event_id": "", + "id": "x-mitre-sensor-mapping--041d1d45-751b-4875-9fc8-d4ce85275926", + "modified": "2023-10-27T20:54:34.466791Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.467865Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "File Delete logged.", + "event_id": "", + "id": "x-mitre-sensor-mapping--84dccb9a-da5f-4b73-a84a-5811c429bd88", + "modified": "2023-10-27T20:54:34.467865Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.468886Z", + "data_component": "File Modification", + "data_source": "File", + "description": "A process changed a file creation time", + "event_id": "", + "id": "x-mitre-sensor-mapping--b1dc8eae-ddb1-4dfe-a96f-057680c89e7c", + "modified": "2023-10-27T20:54:34.468886Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User/File", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.471077Z", + "data_component": "Module Load", + "data_source": "Module", + "description": "Image Loaded", + "event_id": "", + "id": "x-mitre-sensor-mapping--5cb091c8-c4fa-40b5-a387-d0efd6d072be", + "modified": "2023-10-27T20:54:34.471077Z", + "relationship": "Loaded", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Module", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0011" + }, + { + "created": "2023-10-27T20:54:34.472998Z", + "data_component": "Named Pipe Connection", + "data_source": "Named Pipe", + "description": "PipeEvent (Pipe Connected)", + "event_id": "", + "id": "x-mitre-sensor-mapping--0490edcc-7da6-42f4-9943-1cba0ab5ddbb", + "modified": "2023-10-27T20:54:34.472998Z", + "relationship": "Created", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Named Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.475103Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "PipeEvent (Pipe Created)", + "event_id": "", + "id": "x-mitre-sensor-mapping--5b910e45-1686-4938-91a8-6c437d3827e9", + "modified": "2023-10-27T20:54:34.475103Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.476102Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "PipeEvent (Pipe Created)", + "event_id": "", + "id": "x-mitre-sensor-mapping--f1b20673-8b34-47cf-8ccd-8324ee2cdaae", + "modified": "2023-10-27T20:54:34.476102Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.477215Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "PipeEvent (Pipe Connected)", + "event_id": "", + "id": "x-mitre-sensor-mapping--528e5198-fe7e-4e2e-9426-08139cad9918", + "modified": "2023-10-27T20:54:34.477215Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.479323Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Network connection", + "event_id": "", + "id": "x-mitre-sensor-mapping--710fa8f2-41af-491d-86ab-a75c350e8bc9", + "modified": "2023-10-27T20:54:34.479323Z", + "relationship": "Connected To/From", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ip/Port/Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.480406Z", + "data_component": "Process Access", + "data_source": "Process", + "description": "ProcessAccess", + "event_id": "", + "id": "x-mitre-sensor-mapping--d2474944-bdcf-49b6-994c-683627126c66", + "modified": "2023-10-27T20:54:34.480406Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.481431Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "A new process has been created", + "event_id": "", + "id": "x-mitre-sensor-mapping--323a48e7-e750-45d3-a7b1-4458f0486c16", + "modified": "2023-10-27T20:54:34.481431Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.482522Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "A new process has been created", + "event_id": "", + "id": "x-mitre-sensor-mapping--f7db2eaa-a537-4213-8e04-b51958118dfb", + "modified": "2023-10-27T20:54:34.482522Z", + "relationship": "Executed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.48425Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "EventID(30)", + "event_id": "", + "id": "x-mitre-sensor-mapping--0be20a9a-f266-4edc-b626-bd45288c61b4", + "modified": "2023-10-27T20:54:34.48425Z", + "relationship": "Searched", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Ldap", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.485962Z", + "data_component": "Process Modification", + "data_source": "Process", + "description": "The CreateRemoteThread event detects when a process creates a thread in another process.", + "event_id": "", + "id": "x-mitre-sensor-mapping--35cc55db-fa79-429c-9a14-740cd80f14db", + "modified": "2023-10-27T20:54:34.485962Z", + "relationship": "Modified", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.487065Z", + "data_component": "Process Termination", + "data_source": "Process", + "description": "Process terminated", + "event_id": "", + "id": "x-mitre-sensor-mapping--693e9680-a3cd-441c-b2a5-01ae27d7802e", + "modified": "2023-10-27T20:54:34.487065Z", + "relationship": "Terminated", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.487968Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Sysmon service state changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--a0a20744-a7b0-4c76-924b-e4ef1105bd27", + "modified": "2023-10-27T20:54:34.487968Z", + "relationship": "Stopped/Started", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.490097Z", + "data_component": "Windows Registry Key Creation", + "data_source": "Windows Registry", + "description": "RegistryEvent (Object create and delete)", + "event_id": "", + "id": "x-mitre-sensor-mapping--da9593be-d9c9-4abb-95c3-8815b264dd6b", + "modified": "2023-10-27T20:54:34.490097Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.492083Z", + "data_component": "Windows Registry Key Deletion", + "data_source": "Windows Registry", + "description": "RegistryEvent (Object create and delete)", + "event_id": "", + "id": "x-mitre-sensor-mapping--d934a866-0c14-476d-b279-568f3af4893a", + "modified": "2023-10-27T20:54:34.492083Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.493081Z", + "data_component": "Windows Registry Key Modification", + "data_source": "Windows Registry", + "description": "RegistryEvent (Value Set)", + "event_id": "", + "id": "x-mitre-sensor-mapping--b628ff3c-913a-4132-92eb-18ff758999d0", + "modified": "2023-10-27T20:54:34.493081Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.495088Z", + "data_component": "Windows Registry Key Modification", + "data_source": "Windows Registry", + "description": "RegistryEvent (Key and Value Rename)", + "event_id": "", + "id": "x-mitre-sensor-mapping--957f5f16-7f49-41ae-8342-67e7f8cb2bf3", + "modified": "2023-10-27T20:54:34.495088Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.496083Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WmiEvent (WmiEventFilter activity detected).", + "event_id": "", + "id": "x-mitre-sensor-mapping--780ab1bc-6049-4beb-96d3-a45ff5bfc56b", + "modified": "2023-10-27T20:54:34.496083Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.497149Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WmiEvent (WmiEventConsumer activity detected).", + "event_id": "", + "id": "x-mitre-sensor-mapping--3f3d36d6-a81d-42ef-a7de-37fbda3d5ab4", + "modified": "2023-10-27T20:54:34.497149Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.498234Z", + "data_component": "WMI Deletion", + "data_source": "WMI", + "description": "WmiEvent (WmiEventFilter activity detected).", + "event_id": "", + "id": "x-mitre-sensor-mapping--738767bb-d93e-4aef-bf94-29e53f87255e", + "modified": "2023-10-27T20:54:34.498234Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.499491Z", + "data_component": "WMI Deletion", + "data_source": "WMI", + "description": "WmiEvent (WmiEventConsumer activity detected).", + "event_id": "", + "id": "x-mitre-sensor-mapping--560ed321-e8b2-4454-b684-5e07256782b6", + "modified": "2023-10-27T20:54:34.499491Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.527185Z", + "data_component": "Active Directory Credential Request", + "data_source": "Active Directory", + "description": "A Kerberos authentication ticket (TGT) was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9c25aa9b-6555-47aa-9435-dc6297bcaa84", + "modified": "2023-10-27T20:54:34.527185Z", + "relationship": "Requested", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Credential", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.52866Z", + "data_component": "Active Directory Credential Request", + "data_source": "Active Directory", + "description": "A Kerberos service ticket was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--42d981be-3b91-4148-b1bc-d20ebe919845", + "modified": "2023-10-27T20:54:34.52866Z", + "relationship": "Requested", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Credential", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.529735Z", + "data_component": "Active Directory Credential Request", + "data_source": "Active Directory", + "description": "Kerberos pre-authentication failed", + "event_id": "", + "id": "x-mitre-sensor-mapping--ef0f9bb4-c695-4222-b281-182279d2bb12", + "modified": "2023-10-27T20:54:34.529735Z", + "relationship": "Requested", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Credential", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.529735Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8d86405c-5845-4857-aae4-9a7d178e0f17", + "modified": "2023-10-27T20:54:34.529735Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.530777Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "An operation was performed on an object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--e44dac91-9241-4482-a8b0-7bab361d6b1d", + "modified": "2023-10-27T20:54:34.530777Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.531855Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "A Kerberos service ticket request failed", + "event_id": "", + "id": "x-mitre-sensor-mapping--ac963d4f-5f60-406b-a768-5efa8bf8a1f7", + "modified": "2023-10-27T20:54:34.531855Z", + "relationship": "Requested", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service Ticket", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.532894Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "Synchronization of a replica of an Active Directory naming context has begun.", + "event_id": "", + "id": "x-mitre-sensor-mapping--88ce15fc-750f-40ea-8257-f2d2cd1e92d7", + "modified": "2023-10-27T20:54:34.532894Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.535185Z", + "data_component": "Active Directory Object Creation", + "data_source": "Active Directory", + "description": "A directory service object was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8ae512d0-202a-40a2-9ffb-7e34cd172548", + "modified": "2023-10-27T20:54:34.535185Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.536268Z", + "data_component": "Active Directory Object Creation", + "data_source": "Active Directory", + "description": "A directory service object was undeleted", + "event_id": "", + "id": "x-mitre-sensor-mapping--0b39bc32-6bf2-4c60-ab41-d5c2e314e3a6", + "modified": "2023-10-27T20:54:34.536268Z", + "relationship": "Restored", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.537288Z", + "data_component": "Active Directory Object Deletion", + "data_source": "Active Directory", + "description": "A directory service object was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9ab01b4e-1cb2-4681-925c-f8674d58312c", + "modified": "2023-10-27T20:54:34.537288Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.537328Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "System audit policy was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9eb22e69-fb90-4825-baed-4fd9ce117787", + "modified": "2023-10-27T20:54:34.537328Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.538396Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "A security-enabled global group was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dc8fef80-73f7-4926-a2a4-c1fd75e113b9", + "modified": "2023-10-27T20:54:34.538396Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.539443Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "A Kerberos service ticket was renewed", + "event_id": "", + "id": "x-mitre-sensor-mapping--f3ae9908-abb8-4efd-bbbc-2e4570acbcd2", + "modified": "2023-10-27T20:54:34.539443Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Credential", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.540532Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "A directory service object was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--66ab43da-b372-4df3-ad08-e082eb517e97", + "modified": "2023-10-27T20:54:34.540532Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.541905Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "A directory service object was moved.", + "event_id": "", + "id": "x-mitre-sensor-mapping--2f4aa5f7-d924-4b3d-b319-a76ce127ab65", + "modified": "2023-10-27T20:54:34.541905Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.542908Z", + "data_component": "Command Execution", + "data_source": "Command", + "description": "Module logging.", + "event_id": "", + "id": "x-mitre-sensor-mapping--92c47e8e-fce7-45ac-b5e6-824b31f678e5", + "modified": "2023-10-27T20:54:34.542908Z", + "relationship": "Executed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Command", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0017" + }, + { + "created": "2023-10-27T20:54:34.543904Z", + "data_component": "Drive Creation", + "data_source": "Drive", + "description": "A new external device was recognized by the system.", + "event_id": "", + "id": "x-mitre-sensor-mapping--3ce688cc-3800-4ee6-b46e-d2083a9e98cc", + "modified": "2023-10-27T20:54:34.543904Z", + "relationship": "Installed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.544901Z", + "data_component": "Drive Creation", + "data_source": "Drive", + "description": "The installation of this device is forbidden by system policy.", + "event_id": "", + "id": "x-mitre-sensor-mapping--a230912d-760d-4b80-91eb-f1871f9faf84", + "modified": "2023-10-27T20:54:34.544901Z", + "relationship": "Attempted To Install", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.5459Z", + "data_component": "Drive Creation", + "data_source": "Drive", + "description": "The installation of this device was allowed, after having previously been forbidden by policy.", + "event_id": "", + "id": "x-mitre-sensor-mapping--71b6a11d-beb5-48d2-8d33-b39c85c4db60", + "modified": "2023-10-27T20:54:34.5459Z", + "relationship": "Installed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.546904Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "A request was made to disable a device.", + "event_id": "", + "id": "x-mitre-sensor-mapping--bc20fd65-a76c-4ff7-bdbb-bba3eee9bc55", + "modified": "2023-10-27T20:54:34.546904Z", + "relationship": "Attempted To Disable", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.547908Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "A device was disabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--b0fe03a7-c9bb-4179-8dfd-d59f1d27dfec", + "modified": "2023-10-27T20:54:34.547908Z", + "relationship": "Disabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.547908Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "A request was made to enable a device.", + "event_id": "", + "id": "x-mitre-sensor-mapping--a15af5b2-de97-485e-bac1-61de4fa4dbef", + "modified": "2023-10-27T20:54:34.547908Z", + "relationship": "Attempted To Enable", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.550096Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "A device was enabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--aca73812-0a48-45ba-8eb9-d8b69d04db20", + "modified": "2023-10-27T20:54:34.550096Z", + "relationship": "Enabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.551181Z", + "data_component": "File Access", + "data_source": "File", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--87286cb3-6347-48cd-bd57-e300cc590add", + "modified": "2023-10-27T20:54:34.551181Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.552221Z", + "data_component": "File Access", + "data_source": "File", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4c27d592-7d43-4b7f-ab39-7da07c74db2e", + "modified": "2023-10-27T20:54:34.552221Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.5533Z", + "data_component": "File Access", + "data_source": "File", + "description": "An attempt was made to access an object", + "event_id": "", + "id": "x-mitre-sensor-mapping--908c28c5-273f-4c63-9eff-594f0954643c", + "modified": "2023-10-27T20:54:34.5533Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.55435Z", + "data_component": "File Access", + "data_source": "File", + "description": "An attempt was made to duplicate a handle to an object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--6fc12a34-1ab9-49fd-aae7-0468a3a568fd", + "modified": "2023-10-27T20:54:34.55435Z", + "relationship": "Accessed", + "revoked": false, + "source": "File", + "spec_version": "2.1", + "target": "File Handle", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.555331Z", + "data_component": "File Creation", + "data_source": "File", + "description": "An attempt was made to access an object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--13096ea2-7e2e-4b49-957f-18b792e960cb", + "modified": "2023-10-27T20:54:34.555331Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.556418Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "An object was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--fbedc951-dc4c-477f-81ef-9d9d6ba8993f", + "modified": "2023-10-27T20:54:34.556418Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.557907Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "An attempt was made to access an object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--0d087181-9c0f-4cb1-b895-c8dbede2a802", + "modified": "2023-10-27T20:54:34.557907Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.558913Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "An attempt was made to create a hard link.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ceee3dd0-3dcb-4692-a7e2-0f70592c5389", + "modified": "2023-10-27T20:54:34.558913Z", + "relationship": "Modified", + "revoked": false, + "source": "File", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.560025Z", + "data_component": "File Modification", + "data_source": "File", + "description": "Permissions on an object were changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--b59007c7-6f4d-438a-9b07-01de7965c22c", + "modified": "2023-10-27T20:54:34.560025Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.561113Z", + "data_component": "Firewall Disable", + "data_source": "Firewall", + "description": "The Windows Firewall Service has been stopped.", + "event_id": "", + "id": "x-mitre-sensor-mapping--1de758a3-61c0-421f-a99c-595a423fcdc0", + "modified": "2023-10-27T20:54:34.561113Z", + "relationship": "Disabled", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.562137Z", + "data_component": "Firewall Disable", + "data_source": "Firewall", + "description": "The Windows Firewall Driver was stopped.", + "event_id": "", + "id": "x-mitre-sensor-mapping--38ff9b62-9bd1-4750-b255-7e4e5ab16bad", + "modified": "2023-10-27T20:54:34.562137Z", + "relationship": "Disabled", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.564338Z", + "data_component": "Firewall Enabled", + "data_source": "Firewall", + "description": "The Windows Firewall Service has started successfully.", + "event_id": "", + "id": "x-mitre-sensor-mapping--19a8e526-1d27-4d6a-817f-9afad153963a", + "modified": "2023-10-27T20:54:34.564338Z", + "relationship": "Enabled", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.56625Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "A Windows Defender Firewall setting has changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--e31424d2-2eee-473b-8f33-91c074b963a8", + "modified": "2023-10-27T20:54:34.56625Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.567373Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "A Windows Defender Firewall setting in the Private profile has changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8136df0d-d482-4e96-8cdd-e70cedec7636", + "modified": "2023-10-27T20:54:34.567373Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.569405Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "The Windows Firewall service failed to load Group Policy.", + "event_id": "", + "id": "x-mitre-sensor-mapping--3ee2db9d-b717-4ad6-85d2-66b55516c91c", + "modified": "2023-10-27T20:54:34.569405Z", + "relationship": "Attempted To Load", + "revoked": false, + "source": "Firewall", + "spec_version": "2.1", + "target": "Configuration", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.570483Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "A windows firewall setting has changed", + "event_id": "", + "id": "x-mitre-sensor-mapping--b1b4be04-f309-4459-b89c-89d4993bd3ad", + "modified": "2023-10-27T20:54:34.570483Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Setting", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.572555Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "Windows firewall group policy settings has changed", + "event_id": "", + "id": "x-mitre-sensor-mapping--26dc20e2-0b2b-4105-b6cd-3559abc6cc9d", + "modified": "2023-10-27T20:54:34.572555Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.577551Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A rule has been added to the Windows Defender Firewall exception list", + "event_id": "", + "id": "x-mitre-sensor-mapping--bff93520-1875-4c76-a741-4b207a85119f", + "modified": "2023-10-27T20:54:34.577551Z", + "relationship": "Add", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.578548Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A rule has been modified in the Windows Defender Firewall exception list.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ca8b11d5-1f50-40ed-b403-58fba0ec03de", + "modified": "2023-10-27T20:54:34.578548Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.582772Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A rule has been deleted in the Windows Defender Firewall exception list", + "event_id": "", + "id": "x-mitre-sensor-mapping--70eb0537-b908-4559-a93c-f1d0a6d791d4", + "modified": "2023-10-27T20:54:34.582772Z", + "relationship": "Removed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.584398Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "All rules have been deleted from the Windows Firewall configuration on this computer.", + "event_id": "", + "id": "x-mitre-sensor-mapping--759f4177-0d8d-459c-b41d-9ef45d257924", + "modified": "2023-10-27T20:54:34.584398Z", + "relationship": "Removed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.586454Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A change has been made to Windows Firewall exception list. A rule was added.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8c9bdd3d-5f41-4f6d-be01-59cd9798c752", + "modified": "2023-10-27T20:54:34.586454Z", + "relationship": "Added", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.587386Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A change has been made to Windows Firewall exception list. A rule was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--377d489d-5ea3-4fc2-868d-95166f83ea9f", + "modified": "2023-10-27T20:54:34.587386Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.589389Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A change has been made to Windows Firewall exception list. A rule was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d4bf5bd9-47e2-43d6-90c2-552f4adfe734", + "modified": "2023-10-27T20:54:34.589389Z", + "relationship": "Removed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.591389Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "A security-enabled global group was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--2a5b9900-387d-4380-9837-2407899c46f0", + "modified": "2023-10-27T20:54:34.591389Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.593393Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "A security-enabled local group was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--c9e9b4d4-5057-4bde-af4a-060b6c8bee0c", + "modified": "2023-10-27T20:54:34.593393Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.594975Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "A security-enabled universal group was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--928118cb-fc65-4e11-8436-66b9e8bcb0aa", + "modified": "2023-10-27T20:54:34.594975Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.596686Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "A security-enabled global group was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4c7b6251-be4c-4a46-82b9-4dd502bd1203", + "modified": "2023-10-27T20:54:34.596686Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.59768Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "A security-enabled local group was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--fe516a78-5775-4c38-9472-8492c62f9876", + "modified": "2023-10-27T20:54:34.59768Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.599676Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "A security-enabled universal group was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--0eb91241-e300-480e-af24-d5e0c81ed1e9", + "modified": "2023-10-27T20:54:34.599676Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.600689Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "A user's local group membership was enumerated.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f28ff076-2511-4ae0-bb56-61caad46b722", + "modified": "2023-10-27T20:54:34.600689Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.601686Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "A security-enabled local group membership was enumerated.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4b917b25-a935-4e2b-8d52-fb6d1da584d2", + "modified": "2023-10-27T20:54:34.601686Z", + "relationship": "Enumerated", + "revoked": false, + "source": "Group", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.602672Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was removed from a security-enabled global group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--c5c7c883-5d0c-46a1-b418-5381bd234ecc", + "modified": "2023-10-27T20:54:34.602672Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.603675Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was added to a security-enabled local group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--1ee46d99-888f-4a62-954b-3833c41305c5", + "modified": "2023-10-27T20:54:34.603675Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.60567Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was removed from a security-enabled local group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d3758081-baa6-49b2-a3bc-8bb2d9458f9d", + "modified": "2023-10-27T20:54:34.60567Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.606677Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A security-enabled local group was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--36269f0c-95e8-439c-9b86-9d6246f7a370", + "modified": "2023-10-27T20:54:34.606677Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.607671Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A security-enabled universal group was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--99dbd254-2b9d-4038-8387-2aa779c12108", + "modified": "2023-10-27T20:54:34.607671Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.608675Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was added to a security-enabled universal group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--c00367e8-0dd6-49e9-b08a-d24370fe5df9", + "modified": "2023-10-27T20:54:34.608675Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.610674Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was removed from a security-enabled universal group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--7c0f70ce-4701-4edd-89b0-b887e38792d0", + "modified": "2023-10-27T20:54:34.610674Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.611672Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A groups type was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--877d4fa0-3cde-414c-80d7-935ae5e07459", + "modified": "2023-10-27T20:54:34.611672Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.61267Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The event logging service has shut down.", + "event_id": "", + "id": "x-mitre-sensor-mapping--6c5ea4c1-e91c-4228-8eca-710021515205", + "modified": "2023-10-27T20:54:34.61267Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.614249Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Audit events have been dropped by the transport.", + "event_id": "", + "id": "x-mitre-sensor-mapping--2a214bc6-a38d-4968-ac7e-e73ecbf0bf59", + "modified": "2023-10-27T20:54:34.614249Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.61524Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The audit log was cleared.", + "event_id": "", + "id": "x-mitre-sensor-mapping--511fd4b0-72b0-4b29-b770-369debd0521c", + "modified": "2023-10-27T20:54:34.61524Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.617242Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The security Log is now full.", + "event_id": "", + "id": "x-mitre-sensor-mapping--93cc7ac0-58cc-4070-afff-a388037c88e3", + "modified": "2023-10-27T20:54:34.617242Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.61824Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The system time was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--03100a8d-b268-43b7-bbe8-297f8d7e6980", + "modified": "2023-10-27T20:54:34.61824Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.619241Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The Event log service was started.", + "event_id": "", + "id": "x-mitre-sensor-mapping--47022cf5-f8d7-4976-b317-fe94eba08db5", + "modified": "2023-10-27T20:54:34.619241Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.620238Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The Event log service was stopped.", + "event_id": "", + "id": "x-mitre-sensor-mapping--83b53e60-ed63-4968-a26b-f8431670c195", + "modified": "2023-10-27T20:54:34.620238Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.621239Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "An account was successfully logged on", + "event_id": "", + "id": "x-mitre-sensor-mapping--a8069d0d-080c-4c3b-a669-7ea01d67f55f", + "modified": "2023-10-27T20:54:34.621239Z", + "relationship": "Created Logon From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ip/Port/Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.623237Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "A session was reconnected to a Window Station.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ea450fc4-cda7-4547-aa1d-c6d32ffb3db7", + "modified": "2023-10-27T20:54:34.623237Z", + "relationship": "Created Logon From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ip", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.625861Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "Special groups have been assigned to a new logon.", + "event_id": "", + "id": "x-mitre-sensor-mapping--15973cf6-638b-4183-8be0-7cdade8258c7", + "modified": "2023-10-27T20:54:34.625861Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.631857Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "An authentication package has been loaded by the Local Security Authority.", + "event_id": "", + "id": "x-mitre-sensor-mapping--e2a82e8e-f8bd-4edc-96e3-ac7e21cd238f", + "modified": "2023-10-27T20:54:34.631857Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.634026Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "A trusted logon process has been registered with the Local Security Authority.", + "event_id": "", + "id": "x-mitre-sensor-mapping--86734b51-cfa1-4564-b2fd-081f03626e71", + "modified": "2023-10-27T20:54:34.634026Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.636011Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "A notification package has been loaded by the Security Account Manager.", + "event_id": "", + "id": "x-mitre-sensor-mapping--74ba1fe3-1407-474c-bf9e-472a05ae5fc3", + "modified": "2023-10-27T20:54:34.636011Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.637012Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "A security package has been loaded by the Local Security Authority.", + "event_id": "", + "id": "x-mitre-sensor-mapping--58abf3cd-00de-41b5-a2f9-d3554713b424", + "modified": "2023-10-27T20:54:34.637012Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.638008Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "An account was logged off", + "event_id": "", + "id": "x-mitre-sensor-mapping--6f9650bf-b8e7-4443-b526-118954a130a3", + "modified": "2023-10-27T20:54:34.638008Z", + "relationship": "Terminated", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.640011Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "User initiated logoff.", + "event_id": "", + "id": "x-mitre-sensor-mapping--6152f292-7588-47e2-9462-5e6f5187961e", + "modified": "2023-10-27T20:54:34.640011Z", + "relationship": "Terminated", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.642012Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "A privileged service was called.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9e140269-21ea-42d0-bc9d-c06360ba0b44", + "modified": "2023-10-27T20:54:34.642012Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.645544Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "An operation was attempted on a privileged object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--424ee977-ac4d-479c-8ede-93e009b43b2f", + "modified": "2023-10-27T20:54:34.645544Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.648545Z", + "data_component": "Logon Session Modification", + "data_source": "Logon Session", + "description": "Special privileges assigned to new logon.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dea11216-2cc4-458c-a79d-31b991126266", + "modified": "2023-10-27T20:54:34.648545Z", + "relationship": "Modified", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.650544Z", + "data_component": "Logon Session Terminated", + "data_source": "Logon Session", + "description": "A session was disconnected from a Window Station", + "event_id": "", + "id": "x-mitre-sensor-mapping--6ae5a682-9915-40d8-a1a4-09fa941e59c1", + "modified": "2023-10-27T20:54:34.650544Z", + "relationship": "Disconnected Fom", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Host", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.652542Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dc4569db-0f31-4f8c-bbd9-adb9bc9f9f1f", + "modified": "2023-10-27T20:54:34.652542Z", + "relationship": "Created", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.653541Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "A network share object was checked to see whether client can be granted desired access.", + "event_id": "", + "id": "x-mitre-sensor-mapping--aca16137-534f-4157-9ef6-c007a797df96", + "modified": "2023-10-27T20:54:34.653541Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.654543Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Firewall Service blocked an application from accepting incoming connections on the network.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f7cb5714-055a-4899-9f6b-cf183445abe1", + "modified": "2023-10-27T20:54:34.654543Z", + "relationship": "Blocked Connection To", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.656543Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.", + "event_id": "", + "id": "x-mitre-sensor-mapping--20cc4fdb-f364-4d6f-b6af-e2bb55c41235", + "modified": "2023-10-27T20:54:34.656543Z", + "relationship": "Permitted Listener On", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Ip/Port/Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.660097Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d1dc6913-62a4-43d9-813c-b9bf2558962f", + "modified": "2023-10-27T20:54:34.660097Z", + "relationship": "Listened On", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.662093Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.", + "event_id": "", + "id": "x-mitre-sensor-mapping--808cef8c-0de3-4efa-89e7-aee2c5721d9b", + "modified": "2023-10-27T20:54:34.662093Z", + "relationship": "Blocked Listener To", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Ip/Port/Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.664092Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d638a70c-1aaa-4abf-83d6-c62d5ebfe7ff", + "modified": "2023-10-27T20:54:34.664092Z", + "relationship": "Attempted To Listen On", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.666109Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has permitted a connection.", + "event_id": "", + "id": "x-mitre-sensor-mapping--317196bb-6b3e-45df-8467-52d65797ad41", + "modified": "2023-10-27T20:54:34.666109Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Ip/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.667092Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked a connection.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9e9e7531-4a45-4028-a198-2a5d5bfc9219", + "modified": "2023-10-27T20:54:34.667092Z", + "relationship": "Attempted Connection To/From", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Ip/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.669091Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked a connection.", + "event_id": "", + "id": "x-mitre-sensor-mapping--01c5c58a-3857-4744-afd2-955abfe3ec51", + "modified": "2023-10-27T20:54:34.669091Z", + "relationship": "Blocked Connection To", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Process/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.670093Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has permitted a bind to a local port.", + "event_id": "", + "id": "x-mitre-sensor-mapping--7883811a-89f3-426b-b68e-2ff500541bc0", + "modified": "2023-10-27T20:54:34.670093Z", + "relationship": "Bound To", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.671096Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked a bind to a local port.", + "event_id": "", + "id": "x-mitre-sensor-mapping--60e33079-1834-45ce-a923-ecc7846d63f5", + "modified": "2023-10-27T20:54:34.671096Z", + "relationship": "Blocked Port Bind On", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Ip/Port/Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.673095Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked a bind to a local port.", + "event_id": "", + "id": "x-mitre-sensor-mapping--35442ebd-821e-4db5-89c0-c23809bc5f36", + "modified": "2023-10-27T20:54:34.673095Z", + "relationship": "Attempted To Bind On", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.675095Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "A network share object was accessed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--c0763b06-c5d3-4a9c-9b49-ea62040ec469", + "modified": "2023-10-27T20:54:34.675095Z", + "relationship": "Attempted To Access", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.677092Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "A network share object was checked to see whether client can be granted desired access.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ad97544a-05dc-47c7-b6e1-fb69c84c6526", + "modified": "2023-10-27T20:54:34.677092Z", + "relationship": "Attempted To Access", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.679093Z", + "data_component": "Network Share Creation", + "data_source": "Network Share", + "description": "A network share object was added.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dc7464d2-3cb0-40f6-97e7-062ed0ca2e7d", + "modified": "2023-10-27T20:54:34.679093Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.680095Z", + "data_component": "Network Share Deletion", + "data_source": "Network Share", + "description": "A network share object was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--38cacfeb-ce28-414b-8ee2-39cf5450236d", + "modified": "2023-10-27T20:54:34.680095Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.682097Z", + "data_component": "Network Share Modification", + "data_source": "Network Share", + "description": "A network share object was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--b9b84ba9-4882-4c9b-9457-0943575ad58f", + "modified": "2023-10-27T20:54:34.682097Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.684091Z", + "data_component": "Process Access", + "data_source": "Process", + "description": "A handle to an object was requested", + "event_id": "", + "id": "x-mitre-sensor-mapping--994e9c11-3d25-4826-84e6-6ea185fde214", + "modified": "2023-10-27T20:54:34.684091Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.685094Z", + "data_component": "Process Access", + "data_source": "Process", + "description": "An attempt was made to access an object", + "event_id": "", + "id": "x-mitre-sensor-mapping--1b8b6ba1-c013-42ae-9e11-2908774ea252", + "modified": "2023-10-27T20:54:34.685094Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.686091Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "Program execution. When you start a program you are creating a process that stays open until the program ends", + "event_id": "", + "id": "x-mitre-sensor-mapping--d4fb43d0-372d-4fb5-81fa-600b6c7fd205", + "modified": "2023-10-27T20:54:34.686091Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.688105Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "A primary token was assigned to process. The assigning process fields identifies the process that started the child (new) process", + "event_id": "", + "id": "x-mitre-sensor-mapping--6e92a629-f8db-4949-9e5b-c51482d632c4", + "modified": "2023-10-27T20:54:34.688105Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.690653Z", + "data_component": "Process Termination", + "data_source": "Process", + "description": "A process has exited.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4aae9b9f-ebec-42e4-8efd-e3f93f1fce80", + "modified": "2023-10-27T20:54:34.690653Z", + "relationship": "Terminated", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.692641Z", + "data_component": "Scheduled Job Creation", + "data_source": "Scheduled Job", + "description": "A scheduled task was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d4eb6375-3fc8-4763-ac0b-d6eacd58ddde", + "modified": "2023-10-27T20:54:34.692641Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.693653Z", + "data_component": "Scheduled Job Deletion", + "data_source": "Scheduled Job", + "description": "A scheduled task was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--68df0a15-a726-4b08-ac4b-34825d614220", + "modified": "2023-10-27T20:54:34.693653Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.695642Z", + "data_component": "Scheduled Job Modification", + "data_source": "Scheduled Job", + "description": "A scheduled task was enabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--519983d9-918f-43d9-8ce4-69c222983f1a", + "modified": "2023-10-27T20:54:34.695642Z", + "relationship": "Enabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.697655Z", + "data_component": "Scheduled Job Modification", + "data_source": "Scheduled Job", + "description": "A scheduled task was disabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--93d81310-8e48-442d-bf36-93c9afeb4066", + "modified": "2023-10-27T20:54:34.697655Z", + "relationship": "Disabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.699642Z", + "data_component": "Scheduled Job Modification", + "data_source": "Scheduled Job", + "description": "A scheduled task was updated.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4bf8f1f3-37c8-4fb0-af68-039a38f1ac82", + "modified": "2023-10-27T20:54:34.699642Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.700641Z", + "data_component": "Script Execution", + "data_source": "Script", + "description": "Module logging.", + "event_id": "", + "id": "x-mitre-sensor-mapping--be77c162-ac3e-46e1-8967-57ba0e1fb964", + "modified": "2023-10-27T20:54:34.700641Z", + "relationship": "Executed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Script", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0012" + }, + { + "created": "2023-10-27T20:54:34.701641Z", + "data_component": "Script Execution", + "data_source": "Script", + "description": "Script Block Logging.", + "event_id": "", + "id": "x-mitre-sensor-mapping--565947ca-0d3a-45f2-96df-2d7c4dde8a1a", + "modified": "2023-10-27T20:54:34.701641Z", + "relationship": "Executed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Script", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0012" + }, + { + "created": "2023-10-27T20:54:34.704645Z", + "data_component": "Service Access", + "data_source": "Service", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--87b2918f-a699-4a50-bd65-cd2ab5cc8619", + "modified": "2023-10-27T20:54:34.704645Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.70665Z", + "data_component": "Service Creation", + "data_source": "Service", + "description": "A service was installed in the system.", + "event_id": "", + "id": "x-mitre-sensor-mapping--7c517e66-82c1-45e3-9f5b-e7dad465f62c", + "modified": "2023-10-27T20:54:34.70665Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.709658Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "The Event log service was started.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ce94aebb-f40b-40ce-812d-54b84ee7b7cc", + "modified": "2023-10-27T20:54:34.709658Z", + "relationship": "Started", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.71166Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "The Event log service was stopped.", + "event_id": "", + "id": "x-mitre-sensor-mapping--95cf6ea5-3ae1-414a-b1af-d18367fd58ff", + "modified": "2023-10-27T20:54:34.71166Z", + "relationship": "Stopped", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.714648Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "A logon was attempted using explicit credentials.", + "event_id": "", + "id": "x-mitre-sensor-mapping--73a40ddb-4ce3-45cc-81d6-2bf648dea01c", + "modified": "2023-10-27T20:54:34.714648Z", + "relationship": "Attempted To Authenticate From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ip/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.715723Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "The computer attempted to validate the credentials for an account", + "event_id": "", + "id": "x-mitre-sensor-mapping--6f4a7dc6-7092-4b60-8974-847a41c21516", + "modified": "2023-10-27T20:54:34.715723Z", + "relationship": "Authenticated From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.717655Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "An account failed to log on", + "event_id": "", + "id": "x-mitre-sensor-mapping--410e240d-2e6b-4eae-8821-d353980de72d", + "modified": "2023-10-27T20:54:34.717655Z", + "relationship": "Attempted To Authenticate From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ip/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.718724Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "A user account was created", + "event_id": "", + "id": "x-mitre-sensor-mapping--b4ba2c18-adf5-430c-87df-c1b1c80bae94", + "modified": "2023-10-27T20:54:34.718724Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.720708Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "A computer account was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--cd79bb3a-e513-4c11-977d-1ca04f84e9bb", + "modified": "2023-10-27T20:54:34.720708Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.721726Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "A user account was deleted", + "event_id": "", + "id": "x-mitre-sensor-mapping--0a5c3f03-c736-42a9-b043-bc591bc1aca0", + "modified": "2023-10-27T20:54:34.721726Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.723725Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "A computer account was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--e7501fc3-b60d-4fa0-b357-341b868a4b49", + "modified": "2023-10-27T20:54:34.723725Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.725641Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An operation was attempted on a privileged object", + "event_id": "", + "id": "x-mitre-sensor-mapping--b4854a02-a8e2-462b-9df5-450000d2a1bf", + "modified": "2023-10-27T20:54:34.725641Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Privileges", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.726697Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user right was adjusted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--fcfae151-327c-4a79-a856-588a4f8ab4a1", + "modified": "2023-10-27T20:54:34.726697Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.728655Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "System security access was granted to an account.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9192d4f4-a4b8-4078-8854-441db3e789b7", + "modified": "2023-10-27T20:54:34.728655Z", + "relationship": "Granted Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.730663Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "System security access was removed from an account.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ffb811be-2c92-43fe-a609-621dc33f5f66", + "modified": "2023-10-27T20:54:34.730663Z", + "relationship": "Removed Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.731658Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was enabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d8f4a209-0869-44b7-9bfd-c06903230d1c", + "modified": "2023-10-27T20:54:34.731658Z", + "relationship": "Enabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.733647Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "An attempt was made to change an account's password.", + "event_id": "", + "id": "x-mitre-sensor-mapping--855aff4d-b4fe-4d3c-8df0-014efa14774a", + "modified": "2023-10-27T20:54:34.733647Z", + "relationship": "Attempted To Modify", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.73565Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "An attempt was made to reset an account's password", + "event_id": "", + "id": "x-mitre-sensor-mapping--7c8505e1-32d7-4dcb-8fb8-50c240d6b435", + "modified": "2023-10-27T20:54:34.73565Z", + "relationship": "Attempted To Modify", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.737643Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was disabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--25dadb52-d682-40bf-aea3-ffc85414c0bb", + "modified": "2023-10-27T20:54:34.737643Z", + "relationship": "Disabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.739732Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8f6d37f1-396c-47e3-a7bb-6ca1ba19a6be", + "modified": "2023-10-27T20:54:34.739732Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.740729Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was locked out.", + "event_id": "", + "id": "x-mitre-sensor-mapping--27ecc59a-e060-48f0-8e28-83d8a495f4b3", + "modified": "2023-10-27T20:54:34.740729Z", + "relationship": "Locked", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.742647Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A computer account was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--6e635ed3-12ba-4ba6-8980-6887945d0591", + "modified": "2023-10-27T20:54:34.742647Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.744775Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was unlocked.", + "event_id": "", + "id": "x-mitre-sensor-mapping--be1540fe-06c7-4057-85e3-6767f8fe1be2", + "modified": "2023-10-27T20:54:34.744775Z", + "relationship": "Unlocked", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.745834Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "The name of an account was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--0fb4b9ef-bd1e-4d49-b62e-b66e894e8674", + "modified": "2023-10-27T20:54:34.745834Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.74786Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "An attempt was made to access an object", + "event_id": "", + "id": "x-mitre-sensor-mapping--a40054e1-91dc-4bb0-a142-34e86368b26d", + "modified": "2023-10-27T20:54:34.74786Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.749927Z", + "data_component": "Windows Registry Key Creation", + "data_source": "Windows Registry", + "description": "A registry value was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--5d29cd0b-7115-4e9b-8412-073974118f87", + "modified": "2023-10-27T20:54:34.749927Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.751852Z", + "data_component": "Windows Registry Key Deletion", + "data_source": "Windows Registry", + "description": "A registry value was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dab61b4b-d4a3-4fda-a98e-ef63d54cbc7e", + "modified": "2023-10-27T20:54:34.751852Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.753689Z", + "data_component": "Windows Registry Key Deletion", + "data_source": "Windows Registry", + "description": "An object was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--0fe79cfc-2ccb-4413-b16a-42228bb5a2c7", + "modified": "2023-10-27T20:54:34.753689Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.755229Z", + "data_component": "Windows Registry Key Modification", + "data_source": "Windows Registry", + "description": "A registry value was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f3f0b5e0-6ae3-45e0-af38-76361ecee18a", + "modified": "2023-10-27T20:54:34.755229Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.756312Z", + "data_component": "Windows Registry Key Modification", + "data_source": "Windows Registry", + "description": "Permissions on an object were changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--1694e3c0-cd76-49f9-a007-9c20cdb855cb", + "modified": "2023-10-27T20:54:34.756312Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.757306Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMIProv provider started.", + "event_id": "", + "id": "x-mitre-sensor-mapping--eb1171b4-6268-4d16-b5a3-3ab197501c8e", + "modified": "2023-10-27T20:54:34.757306Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.75988Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI Query Error.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f9a5682d-31bd-4e05-877f-d17edb3ef379", + "modified": "2023-10-27T20:54:34.75988Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.762518Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI Event.", + "event_id": "", + "id": "x-mitre-sensor-mapping--03d02b73-b89c-4013-a6cc-ba57a552196b", + "modified": "2023-10-27T20:54:34.762518Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.764033Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI temporary event created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f1433855-fca8-4e8a-9546-48ef359b0a63", + "modified": "2023-10-27T20:54:34.764033Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.766193Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI permanent event created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--bde104e3-27c1-4e84-a3db-9ab5ffff94da", + "modified": "2023-10-27T20:54:34.766193Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.797272Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for NTLM messages of type authenticate.", + "event_id": "ntlm_authenticate", + "id": "x-mitre-sensor-mapping--e955996d-7720-45bd-bd74-04c10f68889b", + "modified": "2023-10-27T20:54:34.797272Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ntlm", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.799311Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for NTLM messages of type challenge.", + "event_id": "ntlm_challenge", + "id": "x-mitre-sensor-mapping--fbb31ca9-ad6a-4f0e-bada-8e9851e3e42d", + "modified": "2023-10-27T20:54:34.799311Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Ntlm", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.800341Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for successful authentications on POP3 connections.", + "event_id": "pop3_login_success", + "id": "x-mitre-sensor-mapping--f6e7333d-e649-486b-8f07-24887ac12a27", + "modified": "2023-10-27T20:54:34.800341Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.801335Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated when RDPEUDP connections are established (both sides SYN)", + "event_id": "rdpeudp_established", + "id": "x-mitre-sensor-mapping--b5e4acb7-934d-4955-9dca-db85f1f58381", + "modified": "2023-10-27T20:54:34.801335Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.801335Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for RDPEUDP SYN UDP Datagram", + "event_id": "rdpeudp_syn", + "id": "x-mitre-sensor-mapping--10b7a00c-2c27-4db2-b6db-4a0f469e2463", + "modified": "2023-10-27T20:54:34.801335Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.802349Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for RDPEUDP SYNACK UDP Datagram", + "event_id": "rdpeudp_synack", + "id": "x-mitre-sensor-mapping--5ac4c92f-31f1-462f-a0b1-2b65976a78e3", + "modified": "2023-10-27T20:54:34.802349Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.804573Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated when a SOCKS server replies to a username/password login attempt.", + "event_id": "socks_login_userpass_reply", + "id": "x-mitre-sensor-mapping--20136b1b-980b-4fad-886c-ff8521bfc658", + "modified": "2023-10-27T20:54:34.804573Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Socks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.80538Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated when a SOCKS client performs username and password based login.", + "event_id": "socks_login_userpass_request", + "id": "x-mitre-sensor-mapping--5272bf98-d7a7-4538-bbeb-a3f7e1274616", + "modified": "2023-10-27T20:54:34.80538Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Socks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.805923Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method.", + "event_id": "ssh2_dh_server_params", + "id": "x-mitre-sensor-mapping--c940feb1-1be4-4147-b5da-577514e239c0", + "modified": "2023-10-27T20:54:34.805923Z", + "relationship": "Connected Through", + "revoked": false, + "source": "", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.806932Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for an SSL/TLS client’s initial hello message.", + "event_id": "ssl_client_hello", + "id": "x-mitre-sensor-mapping--9297ae11-0a2e-48b8-944f-82e40e05296b", + "modified": "2023-10-27T20:54:34.806932Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.807928Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated at the end of an SSL/TLS handshake.", + "event_id": "ssl_established", + "id": "x-mitre-sensor-mapping--f6e09926-0b5b-44cc-88c8-b703668478c6", + "modified": "2023-10-27T20:54:34.807928Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.810027Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated if a client uses RSA key exchange.", + "event_id": "ssl_rsa_client_pms", + "id": "x-mitre-sensor-mapping--110521f6-1003-47bb-9215-2ba058715ae6", + "modified": "2023-10-27T20:54:34.810027Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.811028Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for an SSL/TLS server’s initial hello message.", + "event_id": "ssl_server_hello", + "id": "x-mitre-sensor-mapping--78546a60-5201-4e62-af99-77cc159daff4", + "modified": "2023-10-27T20:54:34.811028Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.812259Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism.", + "event_id": "ssl_session_ticket_handshake", + "id": "x-mitre-sensor-mapping--f359956e-5213-4498-8dc1-ce271de33956", + "modified": "2023-10-27T20:54:34.812259Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.814622Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated when seeing a SYN-ACK packet from the responder in a TCP handshake.", + "event_id": "connection_established", + "id": "x-mitre-sensor-mapping--b9e99f4c-4402-4485-bb1f-2c8db5acbbd5", + "modified": "2023-10-27T20:54:34.814622Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.815608Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for the first ACK packet seen for a TCP connection from its originator.", + "event_id": "connection_first_ack", + "id": "x-mitre-sensor-mapping--37506c40-baec-433a-8802-cefb3734b091", + "modified": "2023-10-27T20:54:34.815608Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.817657Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for a SYN packet.", + "event_id": "connection_SYN_packet", + "id": "x-mitre-sensor-mapping--f7c96d1e-1196-4e45-beb4-1ac85977f066", + "modified": "2023-10-27T20:54:34.817657Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.818693Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "This event is generated when an SSH connection was determined to have had a successful authentication.", + "event_id": "ssh_auth_successful", + "id": "x-mitre-sensor-mapping--df994584-7a37-4ec7-b4ab-dbfff1f34803", + "modified": "2023-10-27T20:54:34.818693Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.819696Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for passing on all data decoded from a single email MIME message.", + "event_id": "mime_all_data", + "id": "x-mitre-sensor-mapping--62bb7efc-9ef4-4126-a537-ecb5f221ef9f", + "modified": "2023-10-27T20:54:34.819696Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Mime", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.8207Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for data decoded from an email MIME entity.", + "event_id": "mime_entity_data", + "id": "x-mitre-sensor-mapping--41ef1505-3ef5-44f0-8987-fbd49ab57483", + "modified": "2023-10-27T20:54:34.8207Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Mime", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.822693Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums.", + "event_id": "mime_content_hash", + "id": "x-mitre-sensor-mapping--f56164ca-27fa-4e03-a485-9c2ee02a6ee3", + "modified": "2023-10-27T20:54:34.822693Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Mime", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.823697Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for reporting an HTTP body’s content type.", + "event_id": "http_content_type", + "id": "x-mitre-sensor-mapping--1ac01691-401a-4fe1-9de3-3d78d25d30f9", + "modified": "2023-10-27T20:54:34.823697Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.825686Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated when parsing an HTTP body entity, passing on the data.", + "event_id": "http_entity_data", + "id": "x-mitre-sensor-mapping--52781b36-fe33-4e90-b1c3-985e4ef3ed0b", + "modified": "2023-10-27T20:54:34.825686Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.827689Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for HTTP headers, passing on all headers of an HTTP message at once.", + "event_id": "http_all_headers", + "id": "x-mitre-sensor-mapping--a176bb79-2941-490f-8ee3-acb70a561a01", + "modified": "2023-10-27T20:54:34.827689Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.829687Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP destination unreachable messages.", + "event_id": "icmp_unreachable", + "id": "x-mitre-sensor-mapping--d344c8d1-c764-42af-88f8-77392e1ec2c0", + "modified": "2023-10-27T20:54:34.829687Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.830688Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP neighbor advertisement messages.", + "event_id": "icmp_neighbor_advertisement", + "id": "x-mitre-sensor-mapping--b5f927e1-4ee3-4b81-8f56-7b8ecb5ae3bd", + "modified": "2023-10-27T20:54:34.830688Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.832684Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP router advertisement messages.", + "event_id": "icmp_neighbor_advertisement", + "id": "x-mitre-sensor-mapping--4558ec34-464d-4263-b095-d8a7e338d717", + "modified": "2023-10-27T20:54:34.832684Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.831686Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP neighbor solicitation messages.", + "event_id": "icmp_neighbor_solicitation", + "id": "x-mitre-sensor-mapping--0dc4afdc-52aa-4697-a65a-eab5ac769a40", + "modified": "2023-10-27T20:54:34.831686Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.833684Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP router solicitation messages.", + "event_id": "icmp_neighbor_solicitation", + "id": "x-mitre-sensor-mapping--fb5e0577-d279-475d-b81d-cfca5e36f292", + "modified": "2023-10-27T20:54:34.833684Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.834691Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type session message that are not carrying an SMB payload.", + "event_id": "netbios_session_raw_message", + "id": "x-mitre-sensor-mapping--5a2157bb-dd29-4751-92d8-a393d5322795", + "modified": "2023-10-27T20:54:34.834691Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.835685Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for client cluster data packets.", + "event_id": "rdp_client_cluster_data", + "id": "x-mitre-sensor-mapping--38f1b937-dbcc-4787-bf79-e1b48e65039f", + "modified": "2023-10-27T20:54:34.835685Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.836684Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for MCS client requests.", + "event_id": "rdp_client_core_data", + "id": "x-mitre-sensor-mapping--548c41ff-8bb2-4e21-be51-65eb85a748c6", + "modified": "2023-10-27T20:54:34.836684Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.837683Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Client Network Data (TS_UD_CS_NET) packets.", + "event_id": "rdp_client_network_data", + "id": "x-mitre-sensor-mapping--fb417c37-0e00-4b38-8fb7-057fb021db4e", + "modified": "2023-10-27T20:54:34.837683Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.838683Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for client security data packets.", + "event_id": "rdp_client_security_data", + "id": "x-mitre-sensor-mapping--08f04472-1f67-477e-8830-bff47073a939", + "modified": "2023-10-27T20:54:34.838683Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.839683Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for a server certificate section.", + "event_id": "rdp_server_certificate", + "id": "x-mitre-sensor-mapping--bef73a92-a3b2-4a8d-9c8a-d3e1b77f5ed2", + "modified": "2023-10-27T20:54:34.839683Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.840683Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for each MOUNT3 reply message received, reporting just the status included.", + "event_id": "mount_reply_status", + "id": "x-mitre-sensor-mapping--f7c1559b-6c30-49cb-ac62-d0c789c014ac", + "modified": "2023-10-27T20:54:34.840683Z", + "relationship": "Replied To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.841686Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type callit.", + "event_id": "pm_request_callit", + "id": "x-mitre-sensor-mapping--64683432-1b95-4cb5-af12-d833a1568f7d", + "modified": "2023-10-27T20:54:34.841686Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.843697Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type dump.", + "event_id": "pm_request_dump", + "id": "x-mitre-sensor-mapping--9af5d89b-4f58-4ee7-8c43-a60d4af3d41f", + "modified": "2023-10-27T20:54:34.843697Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.845736Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type getport.", + "event_id": "pm_request_getport", + "id": "x-mitre-sensor-mapping--9a8fc07f-efc4-41db-9702-4962ce29307b", + "modified": "2023-10-27T20:54:34.845736Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.846824Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type null.", + "event_id": "pm_request_null", + "id": "x-mitre-sensor-mapping--08e1925a-8573-454f-b22a-c4b3d9636701", + "modified": "2023-10-27T20:54:34.846824Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.846968Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type set.", + "event_id": "pm_request_set", + "id": "x-mitre-sensor-mapping--3cd58f48-3015-49c9-8a0e-3fc96a7f1092", + "modified": "2023-10-27T20:54:34.846968Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.847966Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type unset.", + "event_id": "pm_request_unset", + "id": "x-mitre-sensor-mapping--a7700502-6760-47b8-8aa4-835cf26e2d09", + "modified": "2023-10-27T20:54:34.847966Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.848963Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated once for all SIP headers from the originator or responder.", + "event_id": "sip_all_headers", + "id": "x-mitre-sensor-mapping--e9b43e8a-b694-4b17-84b8-4bbd3b6836f3", + "modified": "2023-10-27T20:54:34.848963Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Sip", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.850054Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type negotiate.", + "event_id": "smb2_negotiate_request", + "id": "x-mitre-sensor-mapping--8604dd4a-e1e1-4256-91ed-7f88a50c6bb6", + "modified": "2023-10-27T20:54:34.850054Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.850966Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type negotiate.", + "event_id": "smb2_negotiate_response", + "id": "x-mitre-sensor-mapping--163b5941-0b10-410e-b8fa-b3d6ce08ceb7", + "modified": "2023-10-27T20:54:34.850966Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.852058Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type read.", + "event_id": "smb2_read_request", + "id": "x-mitre-sensor-mapping--b1e4a688-fcf6-45a8-88b7-4a3fe5951dca", + "modified": "2023-10-27T20:54:34.852058Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.853051Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type session_setup.", + "event_id": "smb2_session_setup_request", + "id": "x-mitre-sensor-mapping--99d81405-1b2f-4c0a-9e37-8e1c2aa3aadf", + "modified": "2023-10-27T20:54:34.853051Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.854054Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type session_setup.", + "event_id": "smb2_session_setup_response", + "id": "x-mitre-sensor-mapping--1ded89b6-99a9-41e7-af9d-b0f915cfb5e7", + "modified": "2023-10-27T20:54:34.854054Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.854054Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the allocation subtype", + "event_id": "smb2_file_allocation", + "id": "x-mitre-sensor-mapping--74bacf2d-6483-4842-aae1-08d2af203518", + "modified": "2023-10-27T20:54:34.854054Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.855041Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype", + "event_id": "smb2_file_allocation", + "id": "x-mitre-sensor-mapping--c2ce6434-40bb-462a-96ad-4f98382c593e", + "modified": "2023-10-27T20:54:34.855041Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.856125Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the end_of_file subtype", + "event_id": "smb2_file_endoffile", + "id": "x-mitre-sensor-mapping--f1b5e8e5-7324-4b5f-adb1-ceccf6aa74c7", + "modified": "2023-10-27T20:54:34.856125Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.857192Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the fs_control subtype", + "event_id": "smb2_file_fscontrol", + "id": "x-mitre-sensor-mapping--e612d272-34ae-495c-a2b4-dd58ae3c74a7", + "modified": "2023-10-27T20:54:34.857192Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.858198Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the fs_object_id subtype", + "event_id": "smb2_file_fsobjectid", + "id": "x-mitre-sensor-mapping--c5f5c0ef-18a8-40a5-8077-5c4a1a54b630", + "modified": "2023-10-27T20:54:34.858198Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.859108Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the full_EA subtype", + "event_id": "smb2_file_fullea", + "id": "x-mitre-sensor-mapping--fef85e38-f61d-4b25-84ff-7aa1f63ae6bd", + "modified": "2023-10-27T20:54:34.859108Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.861114Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the link subtype", + "event_id": "smb2_file_link", + "id": "x-mitre-sensor-mapping--f463b61f-e90e-4075-ba04-bb2e068df170", + "modified": "2023-10-27T20:54:34.861114Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.862107Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the mode subtype", + "event_id": "smb2_file_mode", + "id": "x-mitre-sensor-mapping--a21df9af-63c5-4182-b64f-f099aebb1d77", + "modified": "2023-10-27T20:54:34.862107Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.864109Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the pipe subtype", + "event_id": "smb2_file_pipe", + "id": "x-mitre-sensor-mapping--8e915d50-7daa-4719-92dc-6adc426c666c", + "modified": "2023-10-27T20:54:34.864109Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.865107Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the position subtype", + "event_id": "smb2_file_position", + "id": "x-mitre-sensor-mapping--11bd54f0-278d-4577-82d4-8d2901aa5086", + "modified": "2023-10-27T20:54:34.865107Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.867106Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype", + "event_id": "smb2_file_rename", + "id": "x-mitre-sensor-mapping--605e399b-2469-4662-be97-d613872b0485", + "modified": "2023-10-27T20:54:34.867106Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.868105Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the sattr subtype", + "event_id": "smb2_file_sattr", + "id": "x-mitre-sensor-mapping--ad020d57-8ac7-4951-b05c-81fe8a5bba33", + "modified": "2023-10-27T20:54:34.868105Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.870107Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the short_name subtype", + "event_id": "smb2_file_shortname", + "id": "x-mitre-sensor-mapping--aa358f3c-1e1b-44b0-aead-a61c6c790c80", + "modified": "2023-10-27T20:54:34.870107Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.871111Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the valid_data_length subtype", + "event_id": "smb2_file_validdatalength", + "id": "x-mitre-sensor-mapping--897ca04a-88af-4b26-a734-1fb44043d5ef", + "modified": "2023-10-27T20:54:34.871111Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.872109Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 3.x transform_header.", + "event_id": "smb2_transform_header", + "id": "x-mitre-sensor-mapping--31384f56-0655-41f9-b522-c0a5f798bbd2", + "modified": "2023-10-27T20:54:34.872109Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.873159Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type tree_connect.", + "event_id": "smb2_tree_connect_request", + "id": "x-mitre-sensor-mapping--0b404b4b-3a4f-42cd-bb5d-24080f0df3c6", + "modified": "2023-10-27T20:54:34.873159Z", + "relationship": "Read", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.874176Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type tree_connect.", + "event_id": "smb2_tree_connect_response", + "id": "x-mitre-sensor-mapping--1aa23362-33e0-49ba-8f62-f940ce91501b", + "modified": "2023-10-27T20:54:34.874176Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.875164Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type tree disconnect.", + "event_id": "smb2_tree_disconnect_request", + "id": "x-mitre-sensor-mapping--1cc4585f-1822-492d-8676-689700493aa2", + "modified": "2023-10-27T20:54:34.875164Z", + "relationship": "Disconnected", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.877484Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type tree disconnect.", + "event_id": "smb2_tree_disconnect_response", + "id": "x-mitre-sensor-mapping--076778e2-41ba-4d6f-9106-752eec4425eb", + "modified": "2023-10-27T20:54:34.877484Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.87848Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type write.", + "event_id": "smb2_write_request", + "id": "x-mitre-sensor-mapping--07d03e4f-24c6-4b81-ae27-6bf50ff463c2", + "modified": "2023-10-27T20:54:34.87848Z", + "relationship": "Write", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.879479Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type write.", + "event_id": "smb2_write_response", + "id": "x-mitre-sensor-mapping--24a72dac-7bd2-4a58-84f6-b3eeca349dc3", + "modified": "2023-10-27T20:54:34.879479Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.880481Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMPv3 encrypted PDU message.", + "event_id": "snmp_encrypted_pdu", + "id": "x-mitre-sensor-mapping--ff6ff08c-b2e1-4a14-9e87-6f6f2d385ccd", + "modified": "2023-10-27T20:54:34.880481Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host, Process/User", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.881478Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP GetRequest-PDU message from either RFC 1157 or RFC 3416.", + "event_id": "snmp_get_request", + "id": "x-mitre-sensor-mapping--ecd8fc6f-0ad4-4dc3-b57f-563255e398fc", + "modified": "2023-10-27T20:54:34.881478Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.88248Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP Report-PDU message from RFC 3416.", + "event_id": "snmp_report", + "id": "x-mitre-sensor-mapping--e17d4c77-d082-40b0-a18c-debca7784d71", + "modified": "2023-10-27T20:54:34.88248Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.883479Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP SetRequest-PDU message from either RFC 1157 or RFC 3416.", + "event_id": "snmp_set_request", + "id": "x-mitre-sensor-mapping--8cb70bbb-356b-456b-8d5d-189439684284", + "modified": "2023-10-27T20:54:34.883479Z", + "relationship": "Modified", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.884478Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP Trap-PDU message from RFC 1157.", + "event_id": "snmp_trap", + "id": "x-mitre-sensor-mapping--c89ad353-6d73-4006-aba8-41595d705149", + "modified": "2023-10-27T20:54:34.884478Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.885484Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP SNMPv2-Trap-PDU message from RFC 1157.", + "event_id": "snmp_trapv2", + "id": "x-mitre-sensor-mapping--0b849414-e35f-4496-8641-c348c1c87313", + "modified": "2023-10-27T20:54:34.885484Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.886972Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference.", + "event_id": "ssh_capabilities", + "id": "x-mitre-sensor-mapping--9a081374-aeb3-457d-9bc4-046e17a2fecf", + "modified": "2023-10-27T20:54:34.886972Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.887969Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "This event is generated when an SSH encrypted packet is seen.", + "event_id": "ssh_encrypted_packet", + "id": "x-mitre-sensor-mapping--5e5b8d11-7530-4b10-a76c-f17236e139c2", + "modified": "2023-10-27T20:54:34.887969Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.889006Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "During the SSH key exchange, the server supplies its public host key.", + "event_id": "ssh1_server_host_key", + "id": "x-mitre-sensor-mapping--3b931ff4-7f09-4549-9ec3-c77c816e3110", + "modified": "2023-10-27T20:54:34.889006Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.890007Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret.", + "event_id": "ssh2_ecc_key", + "id": "x-mitre-sensor-mapping--4aa2e8f7-f9ee-4599-a7ac-2822ddde1fda", + "modified": "2023-10-27T20:54:34.890007Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.891034Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "During the SSH key exchange, the server supplies its public host key.", + "event_id": "ssh2_server_host_key", + "id": "x-mitre-sensor-mapping--a9286172-8ce2-4fc1-b0d2-148913bb5c67", + "modified": "2023-10-27T20:54:34.891034Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.893792Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS alert records.", + "event_id": "ssl_alert", + "id": "x-mitre-sensor-mapping--2d7e2fda-e2ba-4539-a488-59304080cfd7", + "modified": "2023-10-27T20:54:34.893792Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.895325Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a client uses a DH-anon or DHE cipher suite.", + "event_id": "ssl_dh_client_params", + "id": "x-mitre-sensor-mapping--a5f7e051-014d-49d1-a938-cb00d4446321", + "modified": "2023-10-27T20:54:34.895325Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.89791Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a server uses a DH-anon or DHE cipher suite.", + "event_id": "ssl_dh_server_params", + "id": "x-mitre-sensor-mapping--b1b0209a-045d-4e61-868b-add94bfc9148", + "modified": "2023-10-27T20:54:34.89791Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.898907Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a client uses an ECDH-anon or ECDHE cipher suite.", + "event_id": "ssl_ecdh_client_params", + "id": "x-mitre-sensor-mapping--2b1e0289-8111-4a98-afe5-3c9010578646", + "modified": "2023-10-27T20:54:34.898907Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.899987Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve This event contains the named curve name and the server ECDH parameters contained in the ServerKeyExchange message as defined in RFC 4492.", + "event_id": "ssl_ecdh_server_params", + "id": "x-mitre-sensor-mapping--cf7b712e-cb61-4c15-888a-6c4504e3f553", + "modified": "2023-10-27T20:54:34.899987Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.902046Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS messages that are sent after session encryption started.", + "event_id": "ssl_encrypted_data", + "id": "x-mitre-sensor-mapping--156915b9-7737-4a80-84ab-a85c0dacd6ac", + "modified": "2023-10-27T20:54:34.902046Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.903033Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a server uses a non-anonymous DHE or ECDHE cipher suite.", + "event_id": "ssl_server_signature", + "id": "x-mitre-sensor-mapping--e0e01d97-6e22-4017-95d6-9949d6b2a3a3", + "modified": "2023-10-27T20:54:34.903033Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.903981Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for each chunk of reassembled TCP payload.", + "event_id": "tcp_contents", + "id": "x-mitre-sensor-mapping--f007b18c-b3d3-45e9-be3a-c7235bbe7ae3", + "modified": "2023-10-27T20:54:34.903981Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.904573Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for each TCP header that contains TCP options.", + "event_id": "tcp_options", + "id": "x-mitre-sensor-mapping--9f265eff-7036-4605-9086-ffed18765c74", + "modified": "2023-10-27T20:54:34.904573Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.905551Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for every TCP packet.", + "event_id": "tcp_packet", + "id": "x-mitre-sensor-mapping--c9ffeba5-da30-43a2-8718-502ae31cc105", + "modified": "2023-10-27T20:54:34.905551Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.909212Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type close.", + "event_id": "smb2_close_request", + "id": "x-mitre-sensor-mapping--be69cc34-0b7e-4d09-8999-0a9f67cfda52", + "modified": "2023-10-27T20:54:34.909212Z", + "relationship": "Initiated?", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.911265Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type create.", + "event_id": "smb2_create_request", + "id": "x-mitre-sensor-mapping--44385fd6-824e-475f-a013-9f2233a25cd1", + "modified": "2023-10-27T20:54:34.911265Z", + "relationship": "Initiated?", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.912266Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for UDP packets to pass on their payload.", + "event_id": "udp_contents", + "id": "x-mitre-sensor-mapping--5f802879-5aec-4368-9a58-a288070f8abb", + "modified": "2023-10-27T20:54:34.912266Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Udp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.91334Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC alter context response message.", + "event_id": "dce_rpc_alter_context_resp", + "id": "x-mitre-sensor-mapping--34621428-0fdb-4709-8e95-7bb536441a2e", + "modified": "2023-10-27T20:54:34.91334Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.914453Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC alter context request message.", + "event_id": "dce_rpc_alter_context", + "id": "x-mitre-sensor-mapping--124fee40-7338-410f-987a-cfb82f9804bc", + "modified": "2023-10-27T20:54:34.914453Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.915502Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC bind request message.", + "event_id": "dce_rpc_bind", + "id": "x-mitre-sensor-mapping--9931c0ec-cfd5-4b68-b508-a80d1177bc74", + "modified": "2023-10-27T20:54:34.915502Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.91657Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC bind request ack message.", + "event_id": "dce_rpc_bind_ack", + "id": "x-mitre-sensor-mapping--679ca171-bae9-4a7b-a345-17de55f9fd7a", + "modified": "2023-10-27T20:54:34.91657Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.917579Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MIME headers extracted from email MIME entities, passing all headers at once.", + "event_id": "mime_all_headers", + "id": "x-mitre-sensor-mapping--2d6d48f9-54f9-468c-8864-e25ea34b1a2a", + "modified": "2023-10-27T20:54:34.917579Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Mime", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.91862Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.", + "event_id": "imap_capabilities", + "id": "x-mitre-sensor-mapping--60049c1e-481c-4405-9956-4f3abe748935", + "modified": "2023-10-27T20:54:34.91862Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Imap", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.9197Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.", + "event_id": "imap_start_tls", + "id": "x-mitre-sensor-mapping--32d1f71e-27ef-4783-a981-90795dc33d60", + "modified": "2023-10-27T20:54:34.9197Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Imap", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.92074Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120.", + "event_id": "krb_ap_request", + "id": "x-mitre-sensor-mapping--a672c581-b8de-401a-adaa-e2603f3e5620", + "modified": "2023-10-27T20:54:34.92074Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.921827Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120.", + "event_id": "krb_ap_response", + "id": "x-mitre-sensor-mapping--7f75cfba-fe72-4f7a-acca-e795a4c2c6b1", + "modified": "2023-10-27T20:54:34.921827Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.92286Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120.", + "event_id": "krb_as_request", + "id": "x-mitre-sensor-mapping--1a5ab784-7693-47e8-8ff7-59f2d1e2e23e", + "modified": "2023-10-27T20:54:34.92286Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.924176Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120.", + "event_id": "krb_as_response", + "id": "x-mitre-sensor-mapping--0ca95abe-4d96-4875-8fc1-5e2312c9e1bd", + "modified": "2023-10-27T20:54:34.924176Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.926165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120.", + "event_id": "krb_tgs_request", + "id": "x-mitre-sensor-mapping--0a8b9a57-9fe0-4800-b3fb-e2b20b16ded2", + "modified": "2023-10-27T20:54:34.926165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.927168Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120.", + "event_id": "krb_tgs_response", + "id": "x-mitre-sensor-mapping--60ec0474-f3ef-4205-ab4b-f6e73080900b", + "modified": "2023-10-27T20:54:34.927168Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.928299Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type positive session response.", + "event_id": "netbios_session_accepted", + "id": "x-mitre-sensor-mapping--ae3c1c47-2f46-423e-92af-43a490a8a500", + "modified": "2023-10-27T20:54:34.928299Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.929301Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type keep-alive.", + "event_id": "netbios_session_keepalive", + "id": "x-mitre-sensor-mapping--efd53ba5-f8e5-42a7-88a9-3bcf2202a7e8", + "modified": "2023-10-27T20:54:34.929301Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.930428Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for all NetBIOS SSN and DGM messages.", + "event_id": "netbios_session_message", + "id": "x-mitre-sensor-mapping--06200f7e-a24b-489c-9b97-ec77948e68f3", + "modified": "2023-10-27T20:54:34.930428Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.931427Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type negative session response.", + "event_id": "netbios_session_rejected", + "id": "x-mitre-sensor-mapping--fdf3b0a3-1cf9-4925-8941-ec031ddd01ec", + "modified": "2023-10-27T20:54:34.931427Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.932448Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type session request.", + "event_id": "netbios_session_request", + "id": "x-mitre-sensor-mapping--cec547b8-907c-464b-a562-9b15c85e114b", + "modified": "2023-10-27T20:54:34.932448Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.93344Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type retarget response.", + "event_id": "netbios_session_ret_arg_resp", + "id": "x-mitre-sensor-mapping--e9d90fe0-1917-499d-a715-c3008dee49ac", + "modified": "2023-10-27T20:54:34.93344Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.934487Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NTLM messages of type negotiate.", + "event_id": "ntlm_negotiate", + "id": "x-mitre-sensor-mapping--80b49df7-4fd3-4433-b539-df3580ad8370", + "modified": "2023-10-27T20:54:34.934487Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Ntlm", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.935475Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for all NTP messages.", + "event_id": "ntp_message", + "id": "x-mitre-sensor-mapping--0b1e9c2e-c94a-414d-89c9-776352ea8ac9", + "modified": "2023-10-27T20:54:34.935475Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Ntp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.936518Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for server-side multi-line responses on POP3 connections.", + "event_id": "pop3_data", + "id": "x-mitre-sensor-mapping--2339086e-371c-4208-b93d-b0fc7ab9327d", + "modified": "2023-10-27T20:54:34.936518Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.937524Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for unsuccessful authentications on POP3 connections.", + "event_id": "pop3_login_failure", + "id": "x-mitre-sensor-mapping--2c3a24bc-e494-4eff-bd0e-e9f8f63444e7", + "modified": "2023-10-27T20:54:34.937524Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.938597Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a POP3 connection goes encrypted.", + "event_id": "pop3_starttls", + "id": "x-mitre-sensor-mapping--ed5482c6-74f7-4cfe-9004-183fffb2d2eb", + "modified": "2023-10-27T20:54:34.938597Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.939588Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when an RDP session becomes encrypted.", + "event_id": "rdp_begin_encryption", + "id": "x-mitre-sensor-mapping--2cdc1556-8d1e-4c62-be57-e5d8f1bc96bb", + "modified": "2023-10-27T20:54:34.939588Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.941106Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for X.224 client requests.", + "event_id": "rdp_connect_request", + "id": "x-mitre-sensor-mapping--71679aa1-0b3d-4d7d-b20c-92e8f0045d2e", + "modified": "2023-10-27T20:54:34.941106Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.942172Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MCS server responses.", + "event_id": "rdp_gcc_server_create_response", + "id": "x-mitre-sensor-mapping--9a1cfff4-bb59-425b-b257-6d42c37cc707", + "modified": "2023-10-27T20:54:34.942172Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.943126Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each packet after RDP native encryption begins.", + "event_id": "rdp_native_encrypted_data", + "id": "x-mitre-sensor-mapping--c4b02273-3f6a-48ff-bee8-8a98eac50ab8", + "modified": "2023-10-27T20:54:34.943126Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.945169Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RDP Negotiation Failure messages.", + "event_id": "rdp_negotiation_failure", + "id": "x-mitre-sensor-mapping--33ffa71c-0c95-45b8-a664-3f4f85b37edb", + "modified": "2023-10-27T20:54:34.945169Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.947167Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RDP Negotiation Response messages.", + "event_id": "rdp_negotiation_response", + "id": "x-mitre-sensor-mapping--b9e407de-86b6-4f2e-8021-f44fe5df2a31", + "modified": "2023-10-27T20:54:34.947167Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.948167Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MCS server responses.", + "event_id": "rdp_server_security", + "id": "x-mitre-sensor-mapping--b1920740-fe92-4991-a4b4-bd5a859d00a7", + "modified": "2023-10-27T20:54:34.948167Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.949166Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when for data messages exchanged after a RDPEUDP connection establishes", + "event_id": "rdpeudp_data", + "id": "x-mitre-sensor-mapping--267f3671-7a07-4575-bef6-fd08ba2d8da0", + "modified": "2023-10-27T20:54:34.949166Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.950165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RPC call messages.", + "event_id": "rpc_call", + "id": "x-mitre-sensor-mapping--e76ea538-3d36-41e3-833d-78ddb394b598", + "modified": "2023-10-27T20:54:34.950165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.952165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RPC reply messages.", + "event_id": "rpc_reply", + "id": "x-mitre-sensor-mapping--a86521ed-4abe-441c-b5a0-5a9d7cc416bf", + "modified": "2023-10-27T20:54:34.952165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.953165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RPC request/reply pairs.", + "event_id": "rpc_dialogue", + "id": "x-mitre-sensor-mapping--8db21adb-f430-4035-bea5-3e78cff75bd6", + "modified": "2023-10-27T20:54:34.953165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.954166Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of type mnt.", + "event_id": "mount_proc_mnt", + "id": "x-mitre-sensor-mapping--817043e7-650e-4e38-b394-f6177d389d1e", + "modified": "2023-10-27T20:54:34.954166Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.955165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.", + "event_id": "mount_proc_not_implemented", + "id": "x-mitre-sensor-mapping--523f3d33-1948-484c-8f12-7f3bfa612689", + "modified": "2023-10-27T20:54:34.955165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.956717Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of type null.", + "event_id": "mount_proc_null", + "id": "x-mitre-sensor-mapping--614f5838-1710-43a6-bc5e-2c27d197b5a7", + "modified": "2023-10-27T20:54:34.956717Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.957704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of type umnt.", + "event_id": "mount_proc_umnt", + "id": "x-mitre-sensor-mapping--5e24a6a1-afa6-4966-bb9d-ea111a0adda7", + "modified": "2023-10-27T20:54:34.957704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.958704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of type umnt_all.", + "event_id": "mount_proc_umnt_all", + "id": "x-mitre-sensor-mapping--bc54ed4b-514d-4cec-a086-a0b21dc0704e", + "modified": "2023-10-27T20:54:34.958704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.960704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type create.", + "event_id": "nfs_proc_create", + "id": "x-mitre-sensor-mapping--dbb714f8-673a-46f6-bacf-8582df75cfca", + "modified": "2023-10-27T20:54:34.960704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.961704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type getattr.", + "event_id": "nfs_proc_getattr", + "id": "x-mitre-sensor-mapping--e0efa31b-e91a-4ea7-92a0-1561b65280da", + "modified": "2023-10-27T20:54:34.961704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.962705Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type link.", + "event_id": "nfs_proc_link", + "id": "x-mitre-sensor-mapping--9273aabf-5de2-46ad-aceb-083a38a2bd4f", + "modified": "2023-10-27T20:54:34.962705Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.963704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type lookup.", + "event_id": "nfs_proc_lookup", + "id": "x-mitre-sensor-mapping--3726ca70-3ca2-4af2-8f3e-86f8841608b1", + "modified": "2023-10-27T20:54:34.963704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.964704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type mkdir.", + "event_id": "nfs_proc_mkdir", + "id": "x-mitre-sensor-mapping--c7a62e10-22a7-4ab0-8137-f9dc85c8bcc1", + "modified": "2023-10-27T20:54:34.964704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.965704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type null.", + "event_id": "nfs_proc_mkdir", + "id": "x-mitre-sensor-mapping--8ba1eca6-0215-4a64-b7c0-33ef8a0e0769", + "modified": "2023-10-27T20:54:34.965704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.967704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type read.", + "event_id": "nfs_proc_read", + "id": "x-mitre-sensor-mapping--071d6832-5621-4227-ba7a-3e2ddb76ad8e", + "modified": "2023-10-27T20:54:34.967704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.968703Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type readdir.", + "event_id": "nfs_proc_readdir", + "id": "x-mitre-sensor-mapping--90709134-07a2-4276-ae99-735c0107cef4", + "modified": "2023-10-27T20:54:34.968703Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.969704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type readlink.", + "event_id": "nfs_proc_readlink", + "id": "x-mitre-sensor-mapping--ada1c22a-389c-45bd-b1bf-f64ebf3156bc", + "modified": "2023-10-27T20:54:34.969704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.971759Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type remove.", + "event_id": "nfs_proc_remove", + "id": "x-mitre-sensor-mapping--72936d12-c81e-4606-98a3-764e4610e792", + "modified": "2023-10-27T20:54:34.971759Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.972832Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type rename.", + "event_id": "nfs_proc_rename", + "id": "x-mitre-sensor-mapping--bfb142d3-693a-4aa2-b872-86483ac84f67", + "modified": "2023-10-27T20:54:34.972832Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.974121Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type rmdir.", + "event_id": "nfs_proc_rmdir", + "id": "x-mitre-sensor-mapping--f9734ad1-f6d6-4381-b0c4-b2265f49bd16", + "modified": "2023-10-27T20:54:34.974121Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.975098Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type sattr.", + "event_id": "nfs_proc_sattr", + "id": "x-mitre-sensor-mapping--1ba230a6-9b4f-482f-8ec0-c7577ad660b9", + "modified": "2023-10-27T20:54:34.975098Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.976153Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type symlink.", + "event_id": "nfs_proc_symlink", + "id": "x-mitre-sensor-mapping--17af3a06-4684-405c-bdf7-6bc04b342099", + "modified": "2023-10-27T20:54:34.976153Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.977148Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type write.", + "event_id": "nfs_proc_write", + "id": "x-mitre-sensor-mapping--e5165d84-42ac-42ba-9f68-7598e4801398", + "modified": "2023-10-27T20:54:34.977148Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.979247Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each NFSv3 reply message received, reporting just the status included.", + "event_id": "nfs_reply_status", + "id": "x-mitre-sensor-mapping--c5d0d896-2705-4273-aa36-f8e04a59e9d5", + "modified": "2023-10-27T20:54:34.979247Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.980332Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type callit.", + "event_id": "pm_attempt_callit", + "id": "x-mitre-sensor-mapping--1a25ab67-fccc-4ff5-89ae-3b29d092375c", + "modified": "2023-10-27T20:54:34.980332Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.981355Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type dump.", + "event_id": "pm_attempt_dump", + "id": "x-mitre-sensor-mapping--785617c1-6a1a-49b0-9145-a9df20c2abca", + "modified": "2023-10-27T20:54:34.981355Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.982433Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type getport.", + "event_id": "pm_attempt_getport", + "id": "x-mitre-sensor-mapping--3c075490-c85c-4e5a-92ce-2b1852c585b5", + "modified": "2023-10-27T20:54:34.982433Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.983481Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type null.", + "event_id": "pm_attempt_null", + "id": "x-mitre-sensor-mapping--b7b972d0-1d91-44f3-93d5-5cf2671f51ba", + "modified": "2023-10-27T20:54:34.983481Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.984563Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type set.", + "event_id": "pm_attempt_set", + "id": "x-mitre-sensor-mapping--f09d2543-ae65-41c4-b168-f9a4de4f04fe", + "modified": "2023-10-27T20:54:34.984563Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.985644Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type unset.", + "event_id": "pm_attempt_unset", + "id": "x-mitre-sensor-mapping--a1e6a43f-6f6e-4c54-9f7a-45d63b41836a", + "modified": "2023-10-27T20:54:34.985644Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.987052Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for Portmapper requests or replies that include an invalid port number.", + "event_id": "pm_bad_port", + "id": "x-mitre-sensor-mapping--38784694-0277-4ef4-8edd-7974d59e38d3", + "modified": "2023-10-27T20:54:34.987052Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.988051Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SIP replies, used in Voice over IP (VoIP).", + "event_id": "sip_reply", + "id": "x-mitre-sensor-mapping--6152d455-afe8-4b11-b435-f7ae1c3285f6", + "modified": "2023-10-27T20:54:34.988051Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Cloud", + "spec_version": "2.1", + "target": "Sip", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.989182Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SIP requests, used in Voice over IP (VoIP).", + "event_id": "sip_request", + "id": "x-mitre-sensor-mapping--d310a40d-6806-4389-9131-90b58e032e06", + "modified": "2023-10-27T20:54:34.989182Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Sip", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.990278Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DATA transmitted on SMTP sessions.", + "event_id": "smtp_data", + "id": "x-mitre-sensor-mapping--44dfd0dd-c8cb-4c58-9a74-c56176f8ceb5", + "modified": "2023-10-27T20:54:34.990278Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host, Process/User", + "spec_version": "2.1", + "target": "Smtp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.992296Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS.", + "event_id": "smtp_starttls", + "id": "x-mitre-sensor-mapping--5f19fb8d-4ef8-4a37-be5c-f805a2f389d3", + "modified": "2023-10-27T20:54:34.992296Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host, Process/User", + "spec_version": "2.1", + "target": "Smtp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.993297Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SNMP GetBulkRequest-PDU message from RFC 3416.", + "event_id": "snmp_get_bulk_request", + "id": "x-mitre-sensor-mapping--18211c82-1339-46c4-9ab4-f8b5e899c27d", + "modified": "2023-10-27T20:54:34.993297Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.994292Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SNMP GetNextRequest-PDU message from either RFC 1157 or RFC 3416.", + "event_id": "snmp_get_next_request", + "id": "x-mitre-sensor-mapping--bf99194e-2baf-49a6-bf24-1db14c471113", + "modified": "2023-10-27T20:54:34.994292Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.995359Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SNMP InformRequest-PDU message from RFC 3416.", + "event_id": "snmp_inform_request", + "id": "x-mitre-sensor-mapping--ffbc6e41-2461-49c1-8576-aca2e5d48692", + "modified": "2023-10-27T20:54:34.995359Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host, Process", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.996358Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SNMP GetResponse-PDU message from RFC 1157 or a Response-PDU from RFC 3416.", + "event_id": "snmp_response", + "id": "x-mitre-sensor-mapping--1377b4ee-bddf-48b2-974a-91e59d1ce626", + "modified": "2023-10-27T20:54:34.996358Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.998859Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a SOCKS reply is analyzed.", + "event_id": "socks_reply", + "id": "x-mitre-sensor-mapping--fa917952-81dd-4a66-a21d-a56da918f9d7", + "modified": "2023-10-27T20:54:34.998859Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Socks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.999859Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a SOCKS request is analyzed.", + "event_id": "socks_request", + "id": "x-mitre-sensor-mapping--7b11ef72-7658-44b2-b0c6-bc4a40c48d73", + "modified": "2023-10-27T20:54:34.999859Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Socks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.00258Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SSH Protocol Version Exchange message from the client.", + "event_id": "ssh_client_version", + "id": "x-mitre-sensor-mapping--0059f74e-b3ba-444c-b651-cf96fa7d86c1", + "modified": "2023-10-27T20:54:35.00258Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.003585Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SSH Protocol Version Exchange message from the server.", + "event_id": "ssh_server_version", + "id": "x-mitre-sensor-mapping--fb9bd7da-cf6b-4b66-b6b5-89aa43f8bde3", + "modified": "2023-10-27T20:54:35.003585Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.004586Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins.", + "event_id": "ssl_change_cipher_spec", + "id": "x-mitre-sensor-mapping--6f844fdd-4d6d-485c-98f1-ffd6565f605c", + "modified": "2023-10-27T20:54:35.004586Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.006581Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS extensions seen in an initial handshake.", + "event_id": "ssl_extension", + "id": "x-mitre-sensor-mapping--524a65f9-58d0-4d9f-a25b-625c5612c75e", + "modified": "2023-10-27T20:54:35.006581Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.007584Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "This event is raised for each unencrypted SSL/TLS handshake message.", + "event_id": "ssl_handshake_message", + "id": "x-mitre-sensor-mapping--29c57691-ab69-4d48-8538-bfda8217b87c", + "modified": "2023-10-27T20:54:35.007584Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.009572Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS heartbeat messages that are sent before session encryption starts.", + "event_id": "ssl_heartbeat", + "id": "x-mitre-sensor-mapping--c715dbd5-ff13-4215-a087-e05f9e589b8b", + "modified": "2023-10-27T20:54:35.009572Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.010586Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for an unsuccessful connection attempt.", + "event_id": "connection_attempt", + "id": "x-mitre-sensor-mapping--fc325c64-30a8-430b-acb2-7a7e32cdbdac", + "modified": "2023-10-27T20:54:35.010586Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.011601Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated at the end of reassembled TCP connections.", + "event_id": "connection_eof", + "id": "x-mitre-sensor-mapping--c60a12b3-bfc4-466f-9c4b-e87ec9d3365a", + "modified": "2023-10-27T20:54:35.011601Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.013176Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for a TCP connection that finished normally.", + "event_id": "connection_finished", + "id": "x-mitre-sensor-mapping--3e7528e7-5f02-45ba-ab61-1343cf656040", + "modified": "2023-10-27T20:54:35.013176Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.015146Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state.", + "event_id": "connection_half_finished", + "id": "x-mitre-sensor-mapping--c1d2687e-f402-4dfb-8f69-936545a4bc1e", + "modified": "2023-10-27T20:54:35.015146Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.017149Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a previously inactive endpoint attempts to close a TCP connection via a normal FIN handshake or an abort RST sequence.", + "event_id": "connection_partial_close", + "id": "x-mitre-sensor-mapping--f8bf284b-9ee7-4419-9b36-42c5ce830dd6", + "modified": "2023-10-27T20:54:35.017149Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.0187Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each still-open TCP connection when Zeek terminates.", + "event_id": "connection_pending", + "id": "x-mitre-sensor-mapping--a108932e-42fd-4e1b-87af-bb07e1f777dc", + "modified": "2023-10-27T20:54:35.0187Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.020716Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for a rejected TCP connection.", + "event_id": "connection_rejected", + "id": "x-mitre-sensor-mapping--1edd67e4-ac0a-4944-86a6-9a1c1bf642bd", + "modified": "2023-10-27T20:54:35.020716Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.021769Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when an endpoint aborted a TCP connection.", + "event_id": "connection_reset", + "id": "x-mitre-sensor-mapping--345656fc-dd0a-4fa5-8125-969abe256199", + "modified": "2023-10-27T20:54:35.021769Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.022771Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for a new active TCP connection if Zeek did not see the initial handshake.", + "event_id": "partial_connection", + "id": "x-mitre-sensor-mapping--264556ad-bdfe-415a-9d48-9298e31608ca", + "modified": "2023-10-27T20:54:35.022771Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.023777Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each detected TCP segment retransmission.", + "event_id": "tcp_rexmit", + "id": "x-mitre-sensor-mapping--dbea7ab0-b5c7-42b3-b41a-4ea1f1f93674", + "modified": "2023-10-27T20:54:35.023777Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.025704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "This event is generated when an SSH connection was determined to have had an authentication attempt.", + "event_id": "ssh_auth_attempted", + "id": "x-mitre-sensor-mapping--4bf2202e-2c6e-4d8d-88bd-f0a7360abe7c", + "modified": "2023-10-27T20:54:35.025704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.026266Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for ARP requests.", + "event_id": "arp_request", + "id": "x-mitre-sensor-mapping--97d5609d-d0a5-4cab-943c-728050bdfcd3", + "modified": "2023-10-27T20:54:35.026266Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Arp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.028262Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for ARP replies.", + "event_id": "arp_reply", + "id": "x-mitre-sensor-mapping--a1219f50-d101-4323-94b7-94ca9abe4380", + "modified": "2023-10-27T20:54:35.028262Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Arp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.029335Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS requests.", + "event_id": "dns_request", + "id": "x-mitre-sensor-mapping--32a33dd0-fce5-4c6b-8f3d-86e9798b39cc", + "modified": "2023-10-27T20:54:35.029335Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.03034Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.", + "event_id": "dns_unknown_reply", + "id": "x-mitre-sensor-mapping--8c6e28cc-b043-4438-a266-52df94a5eca1", + "modified": "2023-10-27T20:54:35.03034Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.032254Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type A6.", + "event_id": "dns_a6_reply", + "id": "x-mitre-sensor-mapping--97f88c40-42ab-4f77-856b-55f153d17a8b", + "modified": "2023-10-27T20:54:35.032254Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.033842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type AAAA.", + "event_id": "dns_AAAA_reply", + "id": "x-mitre-sensor-mapping--6de6c475-1796-45ea-8652-febf379e985a", + "modified": "2023-10-27T20:54:35.033842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.034842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type A.", + "event_id": "dns_A_reply", + "id": "x-mitre-sensor-mapping--1fb34e59-b11a-4d43-9685-15f005749cd9", + "modified": "2023-10-27T20:54:35.034842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.035842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type CAA (Certification Authority Authorization).", + "event_id": "dns_CAA_reply", + "id": "x-mitre-sensor-mapping--fc5af907-8a24-4c75-a106-7bd6a26354f5", + "modified": "2023-10-27T20:54:35.035842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.037843Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type CNAME.", + "event_id": "dns_CNAME_reply", + "id": "x-mitre-sensor-mapping--fa31c39f-2f48-43d3-842d-f1f377c548f2", + "modified": "2023-10-27T20:54:35.037843Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.038843Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type DNSKEY.", + "event_id": "dns_DNSKEY_reply", + "id": "x-mitre-sensor-mapping--0e48135a-4355-48bd-a699-415f4541795a", + "modified": "2023-10-27T20:54:35.038843Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.039842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type DS.", + "event_id": "dns_DS_reply", + "id": "x-mitre-sensor-mapping--a2ec1ecd-6207-4b78-9c3c-2bfc247d9996", + "modified": "2023-10-27T20:54:35.039842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.040842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type EDNS.", + "event_id": "dns_EDNS_addl_reply", + "id": "x-mitre-sensor-mapping--3cc16ce9-5e53-429a-abfd-97d8e6906f41", + "modified": "2023-10-27T20:54:35.040842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.042842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type EDNS.", + "event_id": "dns_EDNS_ecs_reply", + "id": "x-mitre-sensor-mapping--16de85c8-062b-41c7-b1e4-1a5f9f76f807", + "modified": "2023-10-27T20:54:35.042842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.043842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type HINFO.", + "event_id": "dns_HINFO_reply", + "id": "x-mitre-sensor-mapping--9fd1888c-ade9-4475-bceb-5406febfa89c", + "modified": "2023-10-27T20:54:35.043842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.044842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type MX.", + "event_id": "dns_MX_reply", + "id": "x-mitre-sensor-mapping--a5addcf6-e8d4-4990-b945-1c29f67bfc80", + "modified": "2023-10-27T20:54:35.044842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.045842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type NSEC.", + "event_id": "dns_NSEC_reply", + "id": "x-mitre-sensor-mapping--79a79caa-13e6-49f9-be8c-a42c7e23bbd1", + "modified": "2023-10-27T20:54:35.045842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.047844Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type NSEC3.", + "event_id": "dns_NSEC_reply", + "id": "x-mitre-sensor-mapping--336e9a93-86a9-4b7d-a5fd-181734af851d", + "modified": "2023-10-27T20:54:35.047844Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.048842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type NS.", + "event_id": "dns_NS_reply", + "id": "x-mitre-sensor-mapping--1b3d866d-b2a9-48c9-abb0-da41576dc104", + "modified": "2023-10-27T20:54:35.048842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.050841Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type PTR.", + "event_id": "dns_PTR_reply", + "id": "x-mitre-sensor-mapping--ead230b8-eafb-49ca-8603-eb6894abc929", + "modified": "2023-10-27T20:54:35.050841Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.051842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type RRSIG.", + "event_id": "dns_RRSIG_reply", + "id": "x-mitre-sensor-mapping--c51079ce-fc83-4fd8-b1bd-ad17e15605c4", + "modified": "2023-10-27T20:54:35.051842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.052843Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type SOA.", + "event_id": "dns_SOA_reply", + "id": "x-mitre-sensor-mapping--39c5f5e6-7860-4961-abdd-db50a6ae58be", + "modified": "2023-10-27T20:54:35.052843Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.053846Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type SPF.", + "event_id": "dns_SPF_reply", + "id": "x-mitre-sensor-mapping--9ac7665f-6df1-4c89-88ea-76120a535a73", + "modified": "2023-10-27T20:54:35.053846Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.056844Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type SRV.", + "event_id": "dns_SRV_reply", + "id": "x-mitre-sensor-mapping--95f0513a-8e29-4c0a-997a-a33e40deacc5", + "modified": "2023-10-27T20:54:35.056844Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.05894Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type TSIG.", + "event_id": "dns_TSIG_reply", + "id": "x-mitre-sensor-mapping--f5a66ea6-f1b4-41d9-8e01-1afcc1aa2729", + "modified": "2023-10-27T20:54:35.05894Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.061368Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type TXT.", + "event_id": "dns_TXT_reply", + "id": "x-mitre-sensor-mapping--8bddc316-8d39-4fc9-9608-35b3d5007fa2", + "modified": "2023-10-27T20:54:35.061368Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.062366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type WKS.", + "event_id": "dns_WKS_reply", + "id": "x-mitre-sensor-mapping--70dbfd87-8c6b-4d37-b55a-ffad5f9209bb", + "modified": "2023-10-27T20:54:35.062366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.064367Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for client-side FTP commands.", + "event_id": "ftp_request", + "id": "x-mitre-sensor-mapping--3e8368e4-2270-4346-b37d-e7f41ea09fe2", + "modified": "2023-10-27T20:54:35.064367Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ftp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.065371Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for server-side FTP replies.", + "event_id": "ftp_reply", + "id": "x-mitre-sensor-mapping--826ea1ff-9b89-4606-ba30-a05350b5235d", + "modified": "2023-10-27T20:54:35.065371Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ftp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.067367Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type close.", + "event_id": "smb2_close_response", + "id": "x-mitre-sensor-mapping--ae304fbd-4395-4134-abab-88d0c70f332b", + "modified": "2023-10-27T20:54:35.067367Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.068366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type create.", + "event_id": "smb2_create_response", + "id": "x-mitre-sensor-mapping--63a7e1d5-2b34-45f9-9343-9e32210bde42", + "modified": "2023-10-27T20:54:35.068366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.069366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for client-side commands on POP3 connections.", + "event_id": "pop3_request", + "id": "x-mitre-sensor-mapping--26bd5143-39bf-41b9-a7e5-ba6e87d7e08a", + "modified": "2023-10-27T20:54:35.069366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.071366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for server-side replies to commands on POP3 connections.", + "event_id": "pop3_reply", + "id": "x-mitre-sensor-mapping--3e81c58f-1299-4424-bcba-be6de72c412b", + "modified": "2023-10-27T20:54:35.071366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.072366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for client-side SMTP commands.", + "event_id": "smtp_request", + "id": "x-mitre-sensor-mapping--02415b7c-d22d-47b7-97e1-187ad8c81b23", + "modified": "2023-10-27T20:54:35.072366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smtp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.073367Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for server-side SMTP commands.", + "event_id": "smtp_reply", + "id": "x-mitre-sensor-mapping--53827a76-bb5a-4ff8-8bd5-ff173343b49f", + "modified": "2023-10-27T20:54:35.073367Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Smtp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.075366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for all DHCP messages.", + "event_id": "dhcp_message", + "id": "x-mitre-sensor-mapping--839940fc-a7f3-4e30-8a40-833b1d5f7cbe", + "modified": "2023-10-27T20:54:35.075366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dhcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.077367Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for ICMP echo request messages.", + "event_id": "icmp_echo_request", + "id": "x-mitre-sensor-mapping--214d82f8-0a52-4da1-84b4-aaaaaf51a01c", + "modified": "2023-10-27T20:54:35.077367Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Command Execution", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.079369Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for ICMP echo reply messages.", + "event_id": "icmp_echo_reply", + "id": "x-mitre-sensor-mapping--690d4e53-bab7-49a6-b6e5-cad0c6a620ac", + "modified": "2023-10-27T20:54:35.079369Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Command Execution", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.080369Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC request message.", + "event_id": "dce_rpc_request", + "id": "x-mitre-sensor-mapping--55ad195b-b3d4-4872-bacd-af4e6feefa37", + "modified": "2023-10-27T20:54:35.080369Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.082366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC reply message.", + "event_id": "dce_rpc_reply", + "id": "x-mitre-sensor-mapping--e58ba889-cb99-421e-8d5e-a09039566e27", + "modified": "2023-10-27T20:54:35.082366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.083366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for HTTP requests.", + "event_id": "http_request", + "id": "x-mitre-sensor-mapping--fd8e8b49-3f2a-42b5-b267-10960d78135a", + "modified": "2023-10-27T20:54:35.083366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.085415Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for HTTP replies.", + "event_id": "http_reply", + "id": "x-mitre-sensor-mapping--3344aef6-55c0-4c54-9a63-e0485dcf17c5", + "modified": "2023-10-27T20:54:35.085415Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.086387Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each packet sent by a UDP flow’s responder.", + "event_id": "udp_reply", + "id": "x-mitre-sensor-mapping--52fa68dd-9f4b-467b-b2ee-0952e2373d23", + "modified": "2023-10-27T20:54:35.086387Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Udp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.088386Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each packet sent by a UDP flow’s originator.", + "event_id": "udp_request", + "id": "x-mitre-sensor-mapping--96f5ac67-c0bc-4b99-981d-e926fd356b04", + "modified": "2023-10-27T20:54:35.088386Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Udp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/mappings/stix/enterprise/Sysmon-mappings-enterprise.json b/mappings/stix/enterprise/Sysmon-mappings-enterprise.json new file mode 100644 index 0000000..93505a6 --- /dev/null +++ b/mappings/stix/enterprise/Sysmon-mappings-enterprise.json @@ -0,0 +1,1162 @@ +{ + "id": "bundle--fe128ad6-523e-4528-9b65-daf63bd09264", + "objects": [ + { + "created": "2023-10-27T20:54:34.461525Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0f563052-0cbb-4d8e-a260-ea15a5553dd5", + "modified": "2023-10-27T20:54:34.461525Z", + "name": "Driver Load", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.463112Z", + "data_component": "Driver Load", + "data_source": "Driver", + "description": "Driver loaded", + "event_id": "", + "id": "x-mitre-sensor-mapping--56912b21-b291-4496-ac50-6072bca43e7a", + "modified": "2023-10-27T20:54:34.463112Z", + "relationship": "Loaded", + "revoked": false, + "source": "Driver", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0027" + }, + { + "created": "2023-10-27T20:54:34.463633Z", + "id": "relationship--44b556e3-bc8a-4120-9767-0f50e1771e61", + "modified": "2023-10-27T20:54:34.463633Z", + "relationship_type": "Loaded", + "revoked": false, + "source_ref": "x-mitre-data-source--9ec8c0d7-6137-456f-b829-c5f8b96ba054", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0f563052-0cbb-4d8e-a260-ea15a5553dd5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "modified": "2023-10-27T20:54:33.648869Z", + "name": "File Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.464157Z", + "data_component": "File Access", + "data_source": "File", + "description": "The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\\ denotation", + "event_id": "", + "id": "x-mitre-sensor-mapping--b31163b5-8f84-4e3f-a230-295d340ce037", + "modified": "2023-10-27T20:54:34.464157Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.464676Z", + "id": "relationship--e8726869-feea-4fa5-b272-0705d3ffb7fe", + "modified": "2023-10-27T20:54:34.464676Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.208309Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "modified": "2023-10-27T20:54:34.208309Z", + "name": "File Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.464676Z", + "data_component": "File Creation", + "data_source": "File", + "description": "FileCreate", + "event_id": "", + "id": "x-mitre-sensor-mapping--6d66f790-b3f9-49d8-b7c9-9bba9b36af89", + "modified": "2023-10-27T20:54:34.464676Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.465669Z", + "id": "relationship--9b6ee13a-bb23-46bb-8e36-00e5370f718e", + "modified": "2023-10-27T20:54:34.465669Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.465669Z", + "data_component": "File Creation", + "data_source": "File", + "description": "FileCreateStreamHash", + "event_id": "", + "id": "x-mitre-sensor-mapping--be1cc0f0-fe29-4c5e-abf0-5f4c6f2ac682", + "modified": "2023-10-27T20:54:34.465669Z", + "relationship": "Created", + "revoked": false, + "source": "File", + "spec_version": "2.1", + "target": "File Stream Hash", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.466791Z", + "id": "relationship--55960015-9a60-45d4-861d-e29f5d9c451d", + "modified": "2023-10-27T20:54:34.466791Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "modified": "2023-10-27T20:54:33.65187Z", + "name": "File Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.466791Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "FileDelete", + "event_id": "", + "id": "x-mitre-sensor-mapping--041d1d45-751b-4875-9fc8-d4ce85275926", + "modified": "2023-10-27T20:54:34.466791Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.467865Z", + "id": "relationship--8ccbc919-af8e-4ac2-8130-07c69a90abde", + "modified": "2023-10-27T20:54:34.467865Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.467865Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "File Delete logged.", + "event_id": "", + "id": "x-mitre-sensor-mapping--84dccb9a-da5f-4b73-a84a-5811c429bd88", + "modified": "2023-10-27T20:54:34.467865Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.468886Z", + "id": "relationship--816cebaf-37a7-4af1-ac96-ecd7da04f790", + "modified": "2023-10-27T20:54:34.468886Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.655922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "modified": "2023-10-27T20:54:33.655922Z", + "name": "File Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.468886Z", + "data_component": "File Modification", + "data_source": "File", + "description": "A process changed a file creation time", + "event_id": "", + "id": "x-mitre-sensor-mapping--b1dc8eae-ddb1-4dfe-a96f-057680c89e7c", + "modified": "2023-10-27T20:54:34.468886Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User/File", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.469961Z", + "id": "relationship--29b19852-c767-490e-950c-2c95e78a7b81", + "modified": "2023-10-27T20:54:34.469961Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.469961Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--bc66dfbd-3982-4bea-81f8-015503e08c50", + "modified": "2023-10-27T20:54:34.469961Z", + "name": "Module Load", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.471077Z", + "data_component": "Module Load", + "data_source": "Module", + "description": "Image Loaded", + "event_id": "", + "id": "x-mitre-sensor-mapping--5cb091c8-c4fa-40b5-a387-d0efd6d072be", + "modified": "2023-10-27T20:54:34.471077Z", + "relationship": "Loaded", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Module", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0011" + }, + { + "created": "2023-10-27T20:54:34.471995Z", + "id": "relationship--546c2799-d97c-44f9-8621-d746cb87ba23", + "modified": "2023-10-27T20:54:34.471995Z", + "relationship_type": "Loaded", + "revoked": false, + "source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--bc66dfbd-3982-4bea-81f8-015503e08c50", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.472998Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--38ebff0a-95bb-4c81-8c69-006e185123f2", + "modified": "2023-10-27T20:54:34.472998Z", + "name": "Named Pipe Connection", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.472998Z", + "data_component": "Named Pipe Connection", + "data_source": "Named Pipe", + "description": "PipeEvent (Pipe Connected)", + "event_id": "", + "id": "x-mitre-sensor-mapping--0490edcc-7da6-42f4-9943-1cba0ab5ddbb", + "modified": "2023-10-27T20:54:34.472998Z", + "relationship": "Created", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Named Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.472998Z", + "id": "relationship--bb2dd6a5-ac57-46b4-91ca-0a6755555406", + "modified": "2023-10-27T20:54:34.472998Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--38ebff0a-95bb-4c81-8c69-006e185123f2", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.474126Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "modified": "2023-10-27T20:54:34.474126Z", + "name": "Named Pipe Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.475103Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "PipeEvent (Pipe Created)", + "event_id": "", + "id": "x-mitre-sensor-mapping--5b910e45-1686-4938-91a8-6c437d3827e9", + "modified": "2023-10-27T20:54:34.475103Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.475103Z", + "id": "relationship--dacb4f81-5178-4ce9-85ca-1a8304a9354c", + "modified": "2023-10-27T20:54:34.475103Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.476102Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "PipeEvent (Pipe Created)", + "event_id": "", + "id": "x-mitre-sensor-mapping--f1b20673-8b34-47cf-8ccd-8324ee2cdaae", + "modified": "2023-10-27T20:54:34.476102Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.477215Z", + "id": "relationship--24cfb1bb-5ac0-429b-b71c-49f9e3c1b00a", + "modified": "2023-10-27T20:54:34.477215Z", + "relationship_type": "Connected To", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.477215Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "PipeEvent (Pipe Connected)", + "event_id": "", + "id": "x-mitre-sensor-mapping--528e5198-fe7e-4e2e-9426-08139cad9918", + "modified": "2023-10-27T20:54:34.477215Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.478308Z", + "id": "relationship--b3955b92-9e64-4f3c-a529-6ba1aa17093e", + "modified": "2023-10-27T20:54:34.478308Z", + "relationship_type": "Connected To", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.478308Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "modified": "2023-10-27T20:54:34.478308Z", + "name": "Network Connection Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.479323Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Network connection", + "event_id": "", + "id": "x-mitre-sensor-mapping--710fa8f2-41af-491d-86ab-a75c350e8bc9", + "modified": "2023-10-27T20:54:34.479323Z", + "relationship": "Connected To/From", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ip/Port/Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.479323Z", + "id": "relationship--6279c1cf-ceca-4849-9bbc-2c4f2b1388aa", + "modified": "2023-10-27T20:54:34.479323Z", + "relationship_type": "Connected To/From", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.681873Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "modified": "2023-10-27T20:54:33.681873Z", + "name": "Process Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.480406Z", + "data_component": "Process Access", + "data_source": "Process", + "description": "ProcessAccess", + "event_id": "", + "id": "x-mitre-sensor-mapping--d2474944-bdcf-49b6-994c-683627126c66", + "modified": "2023-10-27T20:54:34.480406Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.480406Z", + "id": "relationship--49faef60-9d58-4ed7-9756-f16a2b2b1ccf", + "modified": "2023-10-27T20:54:34.480406Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.684869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "modified": "2023-10-27T20:54:33.684869Z", + "name": "Process Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.481431Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "A new process has been created", + "event_id": "", + "id": "x-mitre-sensor-mapping--323a48e7-e750-45d3-a7b1-4458f0486c16", + "modified": "2023-10-27T20:54:34.481431Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.481431Z", + "id": "relationship--2e97b576-3df2-44f1-ab67-4371a44704dc", + "modified": "2023-10-27T20:54:34.481431Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.482522Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "A new process has been created", + "event_id": "", + "id": "x-mitre-sensor-mapping--f7db2eaa-a537-4213-8e04-b51958118dfb", + "modified": "2023-10-27T20:54:34.482522Z", + "relationship": "Executed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.483626Z", + "id": "relationship--4e1088bf-50d5-4d49-a802-8744ce5e0ec6", + "modified": "2023-10-27T20:54:34.483626Z", + "relationship_type": "Executed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.387867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "modified": "2023-10-27T20:54:34.387867Z", + "name": "Process Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.48425Z", + "data_component": "Process Metadata", + "data_source": "Process", + "description": "EventID(30)", + "event_id": "", + "id": "x-mitre-sensor-mapping--0be20a9a-f266-4edc-b626-bd45288c61b4", + "modified": "2023-10-27T20:54:34.48425Z", + "relationship": "Searched", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Ldap", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.484878Z", + "id": "relationship--bda270c9-f441-4bfa-99d2-b1245e1163ea", + "modified": "2023-10-27T20:54:34.484878Z", + "relationship_type": "Searched", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--781acdbc-a4fd-43d9-9f6f-80eb8b53bf94", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.484878Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--62941e03-da2b-467b-96b7-b8ef6d6c8fbc", + "modified": "2023-10-27T20:54:34.484878Z", + "name": "Process Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.485962Z", + "data_component": "Process Modification", + "data_source": "Process", + "description": "The CreateRemoteThread event detects when a process creates a thread in another process.", + "event_id": "", + "id": "x-mitre-sensor-mapping--35cc55db-fa79-429c-9a14-740cd80f14db", + "modified": "2023-10-27T20:54:34.485962Z", + "relationship": "Modified", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.485962Z", + "id": "relationship--d87bbb9f-1b8f-4d2c-bd5d-cc0d86ccaed0", + "modified": "2023-10-27T20:54:34.485962Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--62941e03-da2b-467b-96b7-b8ef6d6c8fbc", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.687867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--52a9b19a-9dcc-4eef-aff3-58d3e4523ceb", + "modified": "2023-10-27T20:54:33.687867Z", + "name": "Process Termination", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.487065Z", + "data_component": "Process Termination", + "data_source": "Process", + "description": "Process terminated", + "event_id": "", + "id": "x-mitre-sensor-mapping--693e9680-a3cd-441c-b2a5-01ae27d7802e", + "modified": "2023-10-27T20:54:34.487065Z", + "relationship": "Terminated", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.487968Z", + "id": "relationship--c70f5aae-510e-4f58-99c8-c8e67971e6fc", + "modified": "2023-10-27T20:54:34.487968Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--52a9b19a-9dcc-4eef-aff3-58d3e4523ceb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.69607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "modified": "2023-10-27T20:54:33.69607Z", + "name": "Service Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.487968Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "Sysmon service state changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--a0a20744-a7b0-4c76-924b-e4ef1105bd27", + "modified": "2023-10-27T20:54:34.487968Z", + "relationship": "Stopped/Started", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.489047Z", + "id": "relationship--c4fc6272-48ba-428c-945c-270b9bacd650", + "modified": "2023-10-27T20:54:34.489047Z", + "relationship_type": "Stopped/Started", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.489047Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--7fa1ea2a-ef03-4797-b4da-ded7431b03a6", + "modified": "2023-10-27T20:54:34.489047Z", + "name": "Windows Registry Key Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.490097Z", + "data_component": "Windows Registry Key Creation", + "data_source": "Windows Registry", + "description": "RegistryEvent (Object create and delete)", + "event_id": "", + "id": "x-mitre-sensor-mapping--da9593be-d9c9-4abb-95c3-8815b264dd6b", + "modified": "2023-10-27T20:54:34.490097Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.491088Z", + "id": "relationship--56d1864d-eb29-4b62-bc6f-6708324f3f15", + "modified": "2023-10-27T20:54:34.491088Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--7fa1ea2a-ef03-4797-b4da-ded7431b03a6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.491088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--bd62e695-7bf5-4d81-880b-c63f30635156", + "modified": "2023-10-27T20:54:34.491088Z", + "name": "Windows Registry Key Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.492083Z", + "data_component": "Windows Registry Key Deletion", + "data_source": "Windows Registry", + "description": "RegistryEvent (Object create and delete)", + "event_id": "", + "id": "x-mitre-sensor-mapping--d934a866-0c14-476d-b279-568f3af4893a", + "modified": "2023-10-27T20:54:34.492083Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.492083Z", + "id": "relationship--f2ca22e3-84eb-4475-ab31-ca12fc47ebd0", + "modified": "2023-10-27T20:54:34.492083Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--bd62e695-7bf5-4d81-880b-c63f30635156", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.493081Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--f23ad5d9-1cb0-41a0-bfb8-fcda53887dfc", + "modified": "2023-10-27T20:54:34.493081Z", + "name": "Windows Registry Key Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.493081Z", + "data_component": "Windows Registry Key Modification", + "data_source": "Windows Registry", + "description": "RegistryEvent (Value Set)", + "event_id": "", + "id": "x-mitre-sensor-mapping--b628ff3c-913a-4132-92eb-18ff758999d0", + "modified": "2023-10-27T20:54:34.493081Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.494082Z", + "id": "relationship--0025910a-1011-4759-82e2-113fc221ca37", + "modified": "2023-10-27T20:54:34.494082Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f23ad5d9-1cb0-41a0-bfb8-fcda53887dfc", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.495088Z", + "data_component": "Windows Registry Key Modification", + "data_source": "Windows Registry", + "description": "RegistryEvent (Key and Value Rename)", + "event_id": "", + "id": "x-mitre-sensor-mapping--957f5f16-7f49-41ae-8342-67e7f8cb2bf3", + "modified": "2023-10-27T20:54:34.495088Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.495088Z", + "id": "relationship--d78a7ae0-dab2-472b-bf5d-d186a006a588", + "modified": "2023-10-27T20:54:34.495088Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f23ad5d9-1cb0-41a0-bfb8-fcda53887dfc", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.437411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "modified": "2023-10-27T20:54:34.437411Z", + "name": "WMI Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.496083Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WmiEvent (WmiEventFilter activity detected).", + "event_id": "", + "id": "x-mitre-sensor-mapping--780ab1bc-6049-4beb-96d3-a45ff5bfc56b", + "modified": "2023-10-27T20:54:34.496083Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.496083Z", + "id": "relationship--2e440251-dd8f-43bd-a851-e00232ce4e0f", + "modified": "2023-10-27T20:54:34.496083Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.497149Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WmiEvent (WmiEventConsumer activity detected).", + "event_id": "", + "id": "x-mitre-sensor-mapping--3f3d36d6-a81d-42ef-a7de-37fbda3d5ab4", + "modified": "2023-10-27T20:54:34.497149Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.497149Z", + "id": "relationship--ce557ce6-2130-4294-ac78-bdddad38fcdf", + "modified": "2023-10-27T20:54:34.497149Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.498234Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--0e70fe01-fbc7-4e0a-b9ca-0204cb085952", + "modified": "2023-10-27T20:54:34.498234Z", + "name": "WMI Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.498234Z", + "data_component": "WMI Deletion", + "data_source": "WMI", + "description": "WmiEvent (WmiEventFilter activity detected).", + "event_id": "", + "id": "x-mitre-sensor-mapping--738767bb-d93e-4aef-bf94-29e53f87255e", + "modified": "2023-10-27T20:54:34.498234Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.499491Z", + "id": "relationship--bfa6b0c0-45d5-4f91-b2a5-5c9fda9eb75f", + "modified": "2023-10-27T20:54:34.499491Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0e70fe01-fbc7-4e0a-b9ca-0204cb085952", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.499491Z", + "data_component": "WMI Deletion", + "data_source": "WMI", + "description": "WmiEvent (WmiEventConsumer activity detected).", + "event_id": "", + "id": "x-mitre-sensor-mapping--560ed321-e8b2-4454-b684-5e07256782b6", + "modified": "2023-10-27T20:54:34.499491Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.500583Z", + "id": "relationship--41dcb1bf-19e6-45a7-b28d-5138a5989310", + "modified": "2023-10-27T20:54:34.500583Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--0e70fe01-fbc7-4e0a-b9ca-0204cb085952", + "type": "relationship" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/mappings/stix/enterprise/WinEvtx-mappings-enterprise.json b/mappings/stix/enterprise/WinEvtx-mappings-enterprise.json new file mode 100644 index 0000000..45ad6b4 --- /dev/null +++ b/mappings/stix/enterprise/WinEvtx-mappings-enterprise.json @@ -0,0 +1,5042 @@ +{ + "id": "bundle--d43d1c0e-aa1e-42cd-a23f-58ff8bc81b8f", + "objects": [ + { + "created": "2023-10-27T20:54:34.526521Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--41fcc984-6e02-467d-b6df-5e8c03d593ca", + "modified": "2023-10-27T20:54:34.526521Z", + "name": "Active Directory Credential Request", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.527185Z", + "data_component": "Active Directory Credential Request", + "data_source": "Active Directory", + "description": "A Kerberos authentication ticket (TGT) was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9c25aa9b-6555-47aa-9435-dc6297bcaa84", + "modified": "2023-10-27T20:54:34.527185Z", + "relationship": "Requested", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Credential", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.527185Z", + "id": "relationship--50cc2496-7975-4146-bd53-1672108dc274", + "modified": "2023-10-27T20:54:34.527185Z", + "relationship_type": "Requested", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--41fcc984-6e02-467d-b6df-5e8c03d593ca", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.52866Z", + "data_component": "Active Directory Credential Request", + "data_source": "Active Directory", + "description": "A Kerberos service ticket was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--42d981be-3b91-4148-b1bc-d20ebe919845", + "modified": "2023-10-27T20:54:34.52866Z", + "relationship": "Requested", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Credential", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.52866Z", + "id": "relationship--ef4f75be-a35c-4d8d-8f93-99593383f675", + "modified": "2023-10-27T20:54:34.52866Z", + "relationship_type": "Requested", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--41fcc984-6e02-467d-b6df-5e8c03d593ca", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.529735Z", + "data_component": "Active Directory Credential Request", + "data_source": "Active Directory", + "description": "Kerberos pre-authentication failed", + "event_id": "", + "id": "x-mitre-sensor-mapping--ef0f9bb4-c695-4222-b281-182279d2bb12", + "modified": "2023-10-27T20:54:34.529735Z", + "relationship": "Requested", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Credential", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.529735Z", + "id": "relationship--84bc03ab-7a7a-4721-ac75-cbc422a59296", + "modified": "2023-10-27T20:54:34.529735Z", + "relationship_type": "Requested", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--41fcc984-6e02-467d-b6df-5e8c03d593ca", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.860987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "modified": "2023-10-27T20:54:33.860987Z", + "name": "Active Directory Object Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.529735Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8d86405c-5845-4857-aae4-9a7d178e0f17", + "modified": "2023-10-27T20:54:34.529735Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.530777Z", + "id": "relationship--4c40b31e-9c1b-41bf-935f-16dca02bf434", + "modified": "2023-10-27T20:54:34.530777Z", + "relationship_type": "Requested Access To", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.530777Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "An operation was performed on an object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--e44dac91-9241-4482-a8b0-7bab361d6b1d", + "modified": "2023-10-27T20:54:34.530777Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.531855Z", + "id": "relationship--191658ee-9d9e-45ca-a151-9c793df37f61", + "modified": "2023-10-27T20:54:34.531855Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.531855Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "A Kerberos service ticket request failed", + "event_id": "", + "id": "x-mitre-sensor-mapping--ac963d4f-5f60-406b-a768-5efa8bf8a1f7", + "modified": "2023-10-27T20:54:34.531855Z", + "relationship": "Requested", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service Ticket", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.531855Z", + "id": "relationship--e358ac3f-245e-4a63-a3d8-99e7c8a70ec0", + "modified": "2023-10-27T20:54:34.531855Z", + "relationship_type": "Requested", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.532894Z", + "data_component": "Active Directory Object Access", + "data_source": "Active Directory", + "description": "Synchronization of a replica of an Active Directory naming context has begun.", + "event_id": "", + "id": "x-mitre-sensor-mapping--88ce15fc-750f-40ea-8257-f2d2cd1e92d7", + "modified": "2023-10-27T20:54:34.532894Z", + "relationship": "Accessed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.534192Z", + "id": "relationship--ec5bfc6b-e8fd-43ab-aa0f-41861dd058e7", + "modified": "2023-10-27T20:54:34.534192Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a0350127-2edc-4572-ab19-ec549f177f80", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.865986Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e9adf20c-691f-488b-8c41-8c460a33c80e", + "modified": "2023-10-27T20:54:33.865986Z", + "name": "Active Directory Object Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.535185Z", + "data_component": "Active Directory Object Creation", + "data_source": "Active Directory", + "description": "A directory service object was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8ae512d0-202a-40a2-9ffb-7e34cd172548", + "modified": "2023-10-27T20:54:34.535185Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.535185Z", + "id": "relationship--f9da9ad0-475d-462b-a8dd-555f897eefbd", + "modified": "2023-10-27T20:54:34.535185Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e9adf20c-691f-488b-8c41-8c460a33c80e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.536268Z", + "data_component": "Active Directory Object Creation", + "data_source": "Active Directory", + "description": "A directory service object was undeleted", + "event_id": "", + "id": "x-mitre-sensor-mapping--0b39bc32-6bf2-4c60-ab41-d5c2e314e3a6", + "modified": "2023-10-27T20:54:34.536268Z", + "relationship": "Restored", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.536268Z", + "id": "relationship--e9998f75-228e-461b-b3a3-5cf0a967c9d6", + "modified": "2023-10-27T20:54:34.536268Z", + "relationship_type": "Restored", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e9adf20c-691f-488b-8c41-8c460a33c80e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.867987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2a0b2a05-c2e4-4fd4-968f-1d4dc130aa20", + "modified": "2023-10-27T20:54:33.867987Z", + "name": "Active Directory Object Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.537288Z", + "data_component": "Active Directory Object Deletion", + "data_source": "Active Directory", + "description": "A directory service object was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9ab01b4e-1cb2-4681-925c-f8674d58312c", + "modified": "2023-10-27T20:54:34.537288Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.537328Z", + "id": "relationship--bfc0fb77-26b2-48e3-9815-df755a7a5efc", + "modified": "2023-10-27T20:54:34.537328Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2a0b2a05-c2e4-4fd4-968f-1d4dc130aa20", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.883987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "modified": "2023-10-27T20:54:33.883987Z", + "name": "Active Directory Object Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.537328Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "System audit policy was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9eb22e69-fb90-4825-baed-4fd9ce117787", + "modified": "2023-10-27T20:54:34.537328Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.538396Z", + "id": "relationship--5322ec7d-698e-461d-ab9b-4e151ef88443", + "modified": "2023-10-27T20:54:34.538396Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.538396Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "A security-enabled global group was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dc8fef80-73f7-4926-a2a4-c1fd75e113b9", + "modified": "2023-10-27T20:54:34.538396Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.539443Z", + "id": "relationship--0e7f27d3-534f-48e2-b2a2-a3a67b2a417f", + "modified": "2023-10-27T20:54:34.539443Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.539443Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "A Kerberos service ticket was renewed", + "event_id": "", + "id": "x-mitre-sensor-mapping--f3ae9908-abb8-4efd-bbbc-2e4570acbcd2", + "modified": "2023-10-27T20:54:34.539443Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Credential", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.539443Z", + "id": "relationship--c205c101-6dfa-490c-9a76-f27569b4e99e", + "modified": "2023-10-27T20:54:34.539443Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.540532Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "A directory service object was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--66ab43da-b372-4df3-ad08-e082eb517e97", + "modified": "2023-10-27T20:54:34.540532Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.540532Z", + "id": "relationship--524fd9f6-23d9-40e5-a7ca-4600db6c0639", + "modified": "2023-10-27T20:54:34.540532Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.541905Z", + "data_component": "Active Directory Object Modification", + "data_source": "Active Directory", + "description": "A directory service object was moved.", + "event_id": "", + "id": "x-mitre-sensor-mapping--2f4aa5f7-d924-4b3d-b319-a76ce127ab65", + "modified": "2023-10-27T20:54:34.541905Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ad Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0026" + }, + { + "created": "2023-10-27T20:54:34.541905Z", + "id": "relationship--87bf8f06-1a10-4d16-8831-f304b234c2d9", + "modified": "2023-10-27T20:54:34.541905Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--d6188aac-17db-4861-845f-57c369f9b4c8", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--639f4aa6-8058-4980-b77a-f711161c47d1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.646871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--206469c7-f0a2-4e86-a373-a455b845e1e5", + "modified": "2023-10-27T20:54:33.646871Z", + "name": "Command Execution", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.542908Z", + "data_component": "Command Execution", + "data_source": "Command", + "description": "Module logging.", + "event_id": "", + "id": "x-mitre-sensor-mapping--92c47e8e-fce7-45ac-b5e6-824b31f678e5", + "modified": "2023-10-27T20:54:34.542908Z", + "relationship": "Executed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Command", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0017" + }, + { + "created": "2023-10-27T20:54:34.542908Z", + "id": "relationship--82494028-9f8f-4f65-8f0a-d6649041a7a0", + "modified": "2023-10-27T20:54:34.542908Z", + "relationship_type": "Executed", + "revoked": false, + "source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--206469c7-f0a2-4e86-a373-a455b845e1e5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.196777Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--806c044c-2cb9-49c6-893e-30675b5e4679", + "modified": "2023-10-27T20:54:34.196777Z", + "name": "Drive Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.543904Z", + "data_component": "Drive Creation", + "data_source": "Drive", + "description": "A new external device was recognized by the system.", + "event_id": "", + "id": "x-mitre-sensor-mapping--3ce688cc-3800-4ee6-b46e-d2083a9e98cc", + "modified": "2023-10-27T20:54:34.543904Z", + "relationship": "Installed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.543904Z", + "id": "relationship--115e1111-9f7c-464e-a7fd-67e3ddeaeb67", + "modified": "2023-10-27T20:54:34.543904Z", + "relationship_type": "Installed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--806c044c-2cb9-49c6-893e-30675b5e4679", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.544901Z", + "data_component": "Drive Creation", + "data_source": "Drive", + "description": "The installation of this device is forbidden by system policy.", + "event_id": "", + "id": "x-mitre-sensor-mapping--a230912d-760d-4b80-91eb-f1871f9faf84", + "modified": "2023-10-27T20:54:34.544901Z", + "relationship": "Attempted To Install", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.544901Z", + "id": "relationship--71c081fd-e35a-4417-80f1-e479fdbf887f", + "modified": "2023-10-27T20:54:34.544901Z", + "relationship_type": "Attempted To Install", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--806c044c-2cb9-49c6-893e-30675b5e4679", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.5459Z", + "data_component": "Drive Creation", + "data_source": "Drive", + "description": "The installation of this device was allowed, after having previously been forbidden by policy.", + "event_id": "", + "id": "x-mitre-sensor-mapping--71b6a11d-beb5-48d2-8d33-b39c85c4db60", + "modified": "2023-10-27T20:54:34.5459Z", + "relationship": "Installed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.5459Z", + "id": "relationship--7b9c9069-57d8-40b2-b6bb-241ebc5a6f7c", + "modified": "2023-10-27T20:54:34.5459Z", + "relationship_type": "Installed", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--806c044c-2cb9-49c6-893e-30675b5e4679", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.647867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "modified": "2023-10-27T20:54:33.647867Z", + "name": "Drive Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.546904Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "A request was made to disable a device.", + "event_id": "", + "id": "x-mitre-sensor-mapping--bc20fd65-a76c-4ff7-bdbb-bba3eee9bc55", + "modified": "2023-10-27T20:54:34.546904Z", + "relationship": "Attempted To Disable", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.546904Z", + "id": "relationship--3710f3b6-412f-44dc-ac23-c2a32c4eb4df", + "modified": "2023-10-27T20:54:34.546904Z", + "relationship_type": "Attempted To Disable", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.547908Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "A device was disabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--b0fe03a7-c9bb-4179-8dfd-d59f1d27dfec", + "modified": "2023-10-27T20:54:34.547908Z", + "relationship": "Disabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.547908Z", + "id": "relationship--9d93fc00-9dcb-4eff-b227-b793dee8821c", + "modified": "2023-10-27T20:54:34.547908Z", + "relationship_type": "Disabled", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.547908Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "A request was made to enable a device.", + "event_id": "", + "id": "x-mitre-sensor-mapping--a15af5b2-de97-485e-bac1-61de4fa4dbef", + "modified": "2023-10-27T20:54:34.547908Z", + "relationship": "Attempted To Enable", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.548908Z", + "id": "relationship--69e5a352-48b1-4907-b941-3518be5df3d9", + "modified": "2023-10-27T20:54:34.548908Z", + "relationship_type": "Attempted To Enable", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.550096Z", + "data_component": "Drive Modification", + "data_source": "Drive", + "description": "A device was enabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--aca73812-0a48-45ba-8eb9-d8b69d04db20", + "modified": "2023-10-27T20:54:34.550096Z", + "relationship": "Enabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Drive", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0016" + }, + { + "created": "2023-10-27T20:54:34.551181Z", + "id": "relationship--aceb9605-db6d-447b-871a-582ee34d168b", + "modified": "2023-10-27T20:54:34.551181Z", + "relationship_type": "Enabled", + "revoked": false, + "source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6aeec1b9-ae59-4a86-892d-5bd04f14cf64", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.648869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "modified": "2023-10-27T20:54:33.648869Z", + "name": "File Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.551181Z", + "data_component": "File Access", + "data_source": "File", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--87286cb3-6347-48cd-bd57-e300cc590add", + "modified": "2023-10-27T20:54:34.551181Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.551181Z", + "id": "relationship--9fbc1217-0d18-42ce-8f62-12350d8ab044", + "modified": "2023-10-27T20:54:34.551181Z", + "relationship_type": "Requested Access To", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.552221Z", + "data_component": "File Access", + "data_source": "File", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4c27d592-7d43-4b7f-ab39-7da07c74db2e", + "modified": "2023-10-27T20:54:34.552221Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.552221Z", + "id": "relationship--cff120f8-283d-4eb0-bdc0-80698ece88e4", + "modified": "2023-10-27T20:54:34.552221Z", + "relationship_type": "Requested Access To", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.5533Z", + "data_component": "File Access", + "data_source": "File", + "description": "An attempt was made to access an object", + "event_id": "", + "id": "x-mitre-sensor-mapping--908c28c5-273f-4c63-9eff-594f0954643c", + "modified": "2023-10-27T20:54:34.5533Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.5533Z", + "id": "relationship--edb6396d-8815-4863-abab-a9ce6d30e285", + "modified": "2023-10-27T20:54:34.5533Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.55435Z", + "data_component": "File Access", + "data_source": "File", + "description": "An attempt was made to duplicate a handle to an object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--6fc12a34-1ab9-49fd-aae7-0468a3a568fd", + "modified": "2023-10-27T20:54:34.55435Z", + "relationship": "Accessed", + "revoked": false, + "source": "File", + "spec_version": "2.1", + "target": "File Handle", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.55435Z", + "id": "relationship--aefbfac5-be8e-4e56-8d0f-3eb6e97ee976", + "modified": "2023-10-27T20:54:34.55435Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--88f2f2b0-1559-4650-9b84-74bdfdbf855b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.208309Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "modified": "2023-10-27T20:54:34.208309Z", + "name": "File Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.555331Z", + "data_component": "File Creation", + "data_source": "File", + "description": "An attempt was made to access an object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--13096ea2-7e2e-4b49-957f-18b792e960cb", + "modified": "2023-10-27T20:54:34.555331Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.555331Z", + "id": "relationship--cca7f556-14d4-4c50-9f01-28de12be11e2", + "modified": "2023-10-27T20:54:34.555331Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--c0c6bb35-9e38-47d5-be54-c33c1bcdd9f4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65187Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "modified": "2023-10-27T20:54:33.65187Z", + "name": "File Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.556418Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "An object was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--fbedc951-dc4c-477f-81ef-9d9d6ba8993f", + "modified": "2023-10-27T20:54:34.556418Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.557354Z", + "id": "relationship--bed073ae-9930-40ba-b623-c0fbc90579b5", + "modified": "2023-10-27T20:54:34.557354Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.557907Z", + "data_component": "File Deletion", + "data_source": "File", + "description": "An attempt was made to access an object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--0d087181-9c0f-4cb1-b895-c8dbede2a802", + "modified": "2023-10-27T20:54:34.557907Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.557907Z", + "id": "relationship--edcc036d-7e75-4ad7-b66b-80242c436008", + "modified": "2023-10-27T20:54:34.557907Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e962d8f9-180d-4760-89f6-56a0a9a39c91", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.65287Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "modified": "2023-10-27T20:54:33.65287Z", + "name": "File Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.558913Z", + "data_component": "File Metadata", + "data_source": "File", + "description": "An attempt was made to create a hard link.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ceee3dd0-3dcb-4692-a7e2-0f70592c5389", + "modified": "2023-10-27T20:54:34.558913Z", + "relationship": "Modified", + "revoked": false, + "source": "File", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.558913Z", + "id": "relationship--74da109e-a3cf-4828-9800-c6927cddd9ab", + "modified": "2023-10-27T20:54:34.558913Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--853c390b-9b45-4f0b-8fbc-98eb33bdc5ee", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.655922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "modified": "2023-10-27T20:54:33.655922Z", + "name": "File Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.560025Z", + "data_component": "File Modification", + "data_source": "File", + "description": "Permissions on an object were changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--b59007c7-6f4d-438a-9b07-01de7965c22c", + "modified": "2023-10-27T20:54:34.560025Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0022" + }, + { + "created": "2023-10-27T20:54:34.560025Z", + "id": "relationship--9087f6c7-1417-40a8-98dc-0ec41effaba8", + "modified": "2023-10-27T20:54:34.560025Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--de72f4a3-cc85-4603-b783-685e80ad91c6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.561113Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--52ee3a9f-5707-4e94-a6cd-b6bbe9969e96", + "modified": "2023-10-27T20:54:34.561113Z", + "name": "Firewall Disable", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.561113Z", + "data_component": "Firewall Disable", + "data_source": "Firewall", + "description": "The Windows Firewall Service has been stopped.", + "event_id": "", + "id": "x-mitre-sensor-mapping--1de758a3-61c0-421f-a99c-595a423fcdc0", + "modified": "2023-10-27T20:54:34.561113Z", + "relationship": "Disabled", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.562137Z", + "id": "relationship--f6d9cdee-949d-4dca-83f4-7fe950bcf805", + "modified": "2023-10-27T20:54:34.562137Z", + "relationship_type": "Disabled", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--52ee3a9f-5707-4e94-a6cd-b6bbe9969e96", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.562137Z", + "data_component": "Firewall Disable", + "data_source": "Firewall", + "description": "The Windows Firewall Driver was stopped.", + "event_id": "", + "id": "x-mitre-sensor-mapping--38ff9b62-9bd1-4750-b255-7e4e5ab16bad", + "modified": "2023-10-27T20:54:34.562137Z", + "relationship": "Disabled", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.563223Z", + "id": "relationship--e4b7f7a5-0a3f-491e-a064-050a6d789dc1", + "modified": "2023-10-27T20:54:34.563223Z", + "relationship_type": "Disabled", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--52ee3a9f-5707-4e94-a6cd-b6bbe9969e96", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.563223Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--bca991d1-d6c6-4580-9657-6fc479fa3810", + "modified": "2023-10-27T20:54:34.563223Z", + "name": "Firewall Enabled", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.564338Z", + "data_component": "Firewall Enabled", + "data_source": "Firewall", + "description": "The Windows Firewall Service has started successfully.", + "event_id": "", + "id": "x-mitre-sensor-mapping--19a8e526-1d27-4d6a-817f-9afad153963a", + "modified": "2023-10-27T20:54:34.564338Z", + "relationship": "Enabled", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.565253Z", + "id": "relationship--acbb99d7-df2a-4601-8b87-a739981429f8", + "modified": "2023-10-27T20:54:34.565253Z", + "relationship_type": "Enabled", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--bca991d1-d6c6-4580-9657-6fc479fa3810", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.236259Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "modified": "2023-10-27T20:54:34.236259Z", + "name": "Firewall Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.56625Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "A Windows Defender Firewall setting has changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--e31424d2-2eee-473b-8f33-91c074b963a8", + "modified": "2023-10-27T20:54:34.56625Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.56625Z", + "id": "relationship--b099c199-bd82-495e-b41e-35ab5a82d9bc", + "modified": "2023-10-27T20:54:34.56625Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.567373Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "A Windows Defender Firewall setting in the Private profile has changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8136df0d-d482-4e96-8cdd-e70cedec7636", + "modified": "2023-10-27T20:54:34.567373Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.568371Z", + "id": "relationship--51d8780f-7d8c-4999-9b2a-845d62fe4792", + "modified": "2023-10-27T20:54:34.568371Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.569405Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "The Windows Firewall service failed to load Group Policy.", + "event_id": "", + "id": "x-mitre-sensor-mapping--3ee2db9d-b717-4ad6-85d2-66b55516c91c", + "modified": "2023-10-27T20:54:34.569405Z", + "relationship": "Attempted To Load", + "revoked": false, + "source": "Firewall", + "spec_version": "2.1", + "target": "Configuration", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.569405Z", + "id": "relationship--a1fc3b86-26b4-49a8-b576-7d27c55d3e28", + "modified": "2023-10-27T20:54:34.569405Z", + "relationship_type": "Attempted To Load", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.570483Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "A windows firewall setting has changed", + "event_id": "", + "id": "x-mitre-sensor-mapping--b1b4be04-f309-4459-b89c-89d4993bd3ad", + "modified": "2023-10-27T20:54:34.570483Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Setting", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.571555Z", + "id": "relationship--e11f41c0-46c2-4bdd-bb00-a25c9fbbea0a", + "modified": "2023-10-27T20:54:34.571555Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.572555Z", + "data_component": "Firewall Metadata", + "data_source": "Firewall", + "description": "Windows firewall group policy settings has changed", + "event_id": "", + "id": "x-mitre-sensor-mapping--26dc20e2-0b2b-4105-b6cd-3559abc6cc9d", + "modified": "2023-10-27T20:54:34.572555Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Group Policy", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.57355Z", + "id": "relationship--99092a26-2400-4d7d-bb10-334f0d7fb469", + "modified": "2023-10-27T20:54:34.57355Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--93ab2ba4-f937-4203-a34a-fc2224bd3d49", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.660871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "modified": "2023-10-27T20:54:33.660871Z", + "name": "Firewall Rule Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.577551Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A rule has been added to the Windows Defender Firewall exception list", + "event_id": "", + "id": "x-mitre-sensor-mapping--bff93520-1875-4c76-a741-4b207a85119f", + "modified": "2023-10-27T20:54:34.577551Z", + "relationship": "Add", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.578548Z", + "id": "relationship--3fdaba1c-b39e-4f7f-949c-60632a22f076", + "modified": "2023-10-27T20:54:34.578548Z", + "relationship_type": "Add", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.578548Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A rule has been modified in the Windows Defender Firewall exception list.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ca8b11d5-1f50-40ed-b403-58fba0ec03de", + "modified": "2023-10-27T20:54:34.578548Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.580773Z", + "id": "relationship--af621c0d-38ff-4268-b2a6-269bfe0be5cc", + "modified": "2023-10-27T20:54:34.580773Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.582772Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A rule has been deleted in the Windows Defender Firewall exception list", + "event_id": "", + "id": "x-mitre-sensor-mapping--70eb0537-b908-4559-a93c-f1d0a6d791d4", + "modified": "2023-10-27T20:54:34.582772Z", + "relationship": "Removed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.582772Z", + "id": "relationship--ba615bbb-fd2c-4096-a9f1-c16b0cbef34a", + "modified": "2023-10-27T20:54:34.582772Z", + "relationship_type": "Removed", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.584398Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "All rules have been deleted from the Windows Firewall configuration on this computer.", + "event_id": "", + "id": "x-mitre-sensor-mapping--759f4177-0d8d-459c-b41d-9ef45d257924", + "modified": "2023-10-27T20:54:34.584398Z", + "relationship": "Removed", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.585387Z", + "id": "relationship--76091b37-5247-462f-afa8-72342968b8bd", + "modified": "2023-10-27T20:54:34.585387Z", + "relationship_type": "Removed", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.586454Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A change has been made to Windows Firewall exception list. A rule was added.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8c9bdd3d-5f41-4f6d-be01-59cd9798c752", + "modified": "2023-10-27T20:54:34.586454Z", + "relationship": "Added", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.586454Z", + "id": "relationship--2478de4d-d1d7-4692-aad0-0deb1a6f9e58", + "modified": "2023-10-27T20:54:34.586454Z", + "relationship_type": "Added", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.587386Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A change has been made to Windows Firewall exception list. A rule was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--377d489d-5ea3-4fc2-868d-95166f83ea9f", + "modified": "2023-10-27T20:54:34.587386Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.588393Z", + "id": "relationship--31dafcb4-0cca-40ed-a96e-aa824a81ac9b", + "modified": "2023-10-27T20:54:34.588393Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.589389Z", + "data_component": "Firewall Rule Modification", + "data_source": "Firewall", + "description": "A change has been made to Windows Firewall exception list. A rule was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d4bf5bd9-47e2-43d6-90c2-552f4adfe734", + "modified": "2023-10-27T20:54:34.589389Z", + "relationship": "Removed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Firewall Rule", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0018" + }, + { + "created": "2023-10-27T20:54:34.59039Z", + "id": "relationship--ff6e9bf9-5a8c-41e4-9c1b-640f55612f35", + "modified": "2023-10-27T20:54:34.59039Z", + "relationship_type": "Removed", + "revoked": false, + "source_ref": "x-mitre-data-source--f2f4f4bd-3455-400f-b2ee-104004df0f5b", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ae933443-668f-43c9-9f71-a6611e1afca1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.662867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "modified": "2023-10-27T20:54:33.662867Z", + "name": "Group Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.591389Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "A security-enabled global group was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--2a5b9900-387d-4380-9837-2407899c46f0", + "modified": "2023-10-27T20:54:34.591389Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.592392Z", + "id": "relationship--45f84032-7b4d-4fe4-8aef-f6617a53c383", + "modified": "2023-10-27T20:54:34.592392Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.593393Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "A security-enabled local group was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--c9e9b4d4-5057-4bde-af4a-060b6c8bee0c", + "modified": "2023-10-27T20:54:34.593393Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.593984Z", + "id": "relationship--bc2683e8-2b2a-48b1-9a9b-0efa9897ba1c", + "modified": "2023-10-27T20:54:34.593984Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.594975Z", + "data_component": "Group Creation", + "data_source": "Group", + "description": "A security-enabled universal group was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--928118cb-fc65-4e11-8436-66b9e8bcb0aa", + "modified": "2023-10-27T20:54:34.594975Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.595975Z", + "id": "relationship--9fd31298-78b5-4917-9ff2-e525748f9def", + "modified": "2023-10-27T20:54:34.595975Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--347506ef-c1d2-44ad-9c09-0cd97d19c9d4", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.664867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "modified": "2023-10-27T20:54:33.664867Z", + "name": "Group Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.596686Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "A security-enabled global group was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4c7b6251-be4c-4a46-82b9-4dd502bd1203", + "modified": "2023-10-27T20:54:34.596686Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.59768Z", + "id": "relationship--58faa5f6-f111-419b-b3d7-72f07c5c533b", + "modified": "2023-10-27T20:54:34.59768Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.59768Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "A security-enabled local group was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--fe516a78-5775-4c38-9472-8492c62f9876", + "modified": "2023-10-27T20:54:34.59768Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.598676Z", + "id": "relationship--dcf6481d-aa0f-4574-be53-0c39cea69528", + "modified": "2023-10-27T20:54:34.598676Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.599676Z", + "data_component": "Group Deletion", + "data_source": "Group", + "description": "A security-enabled universal group was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--0eb91241-e300-480e-af24-d5e0c81ed1e9", + "modified": "2023-10-27T20:54:34.599676Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.599676Z", + "id": "relationship--7d88ca0b-b512-4218-bad2-e3427281ef43", + "modified": "2023-10-27T20:54:34.599676Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d047a5b6-eb1e-403d-8e7e-665e508a8b8d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.927065Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "modified": "2023-10-27T20:54:33.927065Z", + "name": "Group Enumeration", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.600689Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "A user's local group membership was enumerated.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f28ff076-2511-4ae0-bb56-61caad46b722", + "modified": "2023-10-27T20:54:34.600689Z", + "relationship": "Enumerated", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.600689Z", + "id": "relationship--ea3cee85-7f7c-44f1-b6dd-2d2e56a947c7", + "modified": "2023-10-27T20:54:34.600689Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.601686Z", + "data_component": "Group Enumeration", + "data_source": "Group", + "description": "A security-enabled local group membership was enumerated.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4b917b25-a935-4e2b-8d52-fb6d1da584d2", + "modified": "2023-10-27T20:54:34.601686Z", + "relationship": "Enumerated", + "revoked": false, + "source": "Group", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.601686Z", + "id": "relationship--2c2e97eb-d2fb-4bb3-8cea-e498f19d543b", + "modified": "2023-10-27T20:54:34.601686Z", + "relationship_type": "Enumerated", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--01d3c190-917b-4361-873f-fa970b9ac0d9", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.940158Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "modified": "2023-10-27T20:54:33.940158Z", + "name": "Group Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.602672Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was removed from a security-enabled global group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--c5c7c883-5d0c-46a1-b418-5381bd234ecc", + "modified": "2023-10-27T20:54:34.602672Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.603675Z", + "id": "relationship--f4acd63f-be8b-47da-bf14-5d75d8f9ef22", + "modified": "2023-10-27T20:54:34.603675Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.603675Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was added to a security-enabled local group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--1ee46d99-888f-4a62-954b-3833c41305c5", + "modified": "2023-10-27T20:54:34.603675Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.604672Z", + "id": "relationship--0c654195-faa1-45fc-9d1f-1cb665067e52", + "modified": "2023-10-27T20:54:34.604672Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.60567Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was removed from a security-enabled local group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d3758081-baa6-49b2-a3bc-8bb2d9458f9d", + "modified": "2023-10-27T20:54:34.60567Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.60567Z", + "id": "relationship--53fab98d-155d-4162-b23c-ece5d5f8d778", + "modified": "2023-10-27T20:54:34.60567Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.606677Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A security-enabled local group was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--36269f0c-95e8-439c-9b86-9d6246f7a370", + "modified": "2023-10-27T20:54:34.606677Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.606677Z", + "id": "relationship--85e0899f-273b-4951-8db2-d6f8a5ca4a82", + "modified": "2023-10-27T20:54:34.606677Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.607671Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A security-enabled universal group was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--99dbd254-2b9d-4038-8387-2aa779c12108", + "modified": "2023-10-27T20:54:34.607671Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.608675Z", + "id": "relationship--31acc7b3-74c8-4091-ab57-6833387188e1", + "modified": "2023-10-27T20:54:34.608675Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.608675Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was added to a security-enabled universal group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--c00367e8-0dd6-49e9-b08a-d24370fe5df9", + "modified": "2023-10-27T20:54:34.608675Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.609675Z", + "id": "relationship--06b72d9f-b85a-47b3-927c-d9bcc709cefd", + "modified": "2023-10-27T20:54:34.609675Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.610674Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A member was removed from a security-enabled universal group.", + "event_id": "", + "id": "x-mitre-sensor-mapping--7c0f70ce-4701-4edd-89b0-b887e38792d0", + "modified": "2023-10-27T20:54:34.610674Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.610674Z", + "id": "relationship--0b0790fd-7dbd-479f-b66e-1061a601bdfc", + "modified": "2023-10-27T20:54:34.610674Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.611672Z", + "data_component": "Group Modification", + "data_source": "Group", + "description": "A groups type was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--877d4fa0-3cde-414c-80d7-935ae5e07459", + "modified": "2023-10-27T20:54:34.611672Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Group", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0036" + }, + { + "created": "2023-10-27T20:54:34.611672Z", + "id": "relationship--38d48464-83bf-4d28-bab2-ddad9ca68aaf", + "modified": "2023-10-27T20:54:34.611672Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--3c07684f-3794-4536-8f70-21efe700c0ec", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--1c6dd6a4-c65c-4258-b194-0d56fac546e7", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.666871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "modified": "2023-10-27T20:54:33.666871Z", + "name": "Host Status", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.61267Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The event logging service has shut down.", + "event_id": "", + "id": "x-mitre-sensor-mapping--6c5ea4c1-e91c-4228-8eca-710021515205", + "modified": "2023-10-27T20:54:34.61267Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.61267Z", + "id": "relationship--427dae02-58bc-4991-acea-d224bdb22486", + "modified": "2023-10-27T20:54:34.61267Z", + "relationship_type": "Changed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.614249Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "Audit events have been dropped by the transport.", + "event_id": "", + "id": "x-mitre-sensor-mapping--2a214bc6-a38d-4968-ac7e-e73ecbf0bf59", + "modified": "2023-10-27T20:54:34.614249Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.614249Z", + "id": "relationship--828ddc73-60a9-4a53-852f-2adbd54efda4", + "modified": "2023-10-27T20:54:34.614249Z", + "relationship_type": "Changed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.61524Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The audit log was cleared.", + "event_id": "", + "id": "x-mitre-sensor-mapping--511fd4b0-72b0-4b29-b770-369debd0521c", + "modified": "2023-10-27T20:54:34.61524Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.616402Z", + "id": "relationship--32270e95-36d0-4430-98c9-b8f8b58c53ee", + "modified": "2023-10-27T20:54:34.616402Z", + "relationship_type": "Changed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.617242Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The security Log is now full.", + "event_id": "", + "id": "x-mitre-sensor-mapping--93cc7ac0-58cc-4070-afff-a388037c88e3", + "modified": "2023-10-27T20:54:34.617242Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.617242Z", + "id": "relationship--4ca16614-eb38-4dcd-afc5-270f70e73a3c", + "modified": "2023-10-27T20:54:34.617242Z", + "relationship_type": "Changed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.61824Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The system time was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--03100a8d-b268-43b7-bbe8-297f8d7e6980", + "modified": "2023-10-27T20:54:34.61824Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.61824Z", + "id": "relationship--364bf738-bd64-4bb2-9688-910104fadec4", + "modified": "2023-10-27T20:54:34.61824Z", + "relationship_type": "Changed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.619241Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The Event log service was started.", + "event_id": "", + "id": "x-mitre-sensor-mapping--47022cf5-f8d7-4976-b317-fe94eba08db5", + "modified": "2023-10-27T20:54:34.619241Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.619241Z", + "id": "relationship--25bff0d9-bdeb-460c-a98d-3d78f5709d5b", + "modified": "2023-10-27T20:54:34.619241Z", + "relationship_type": "Changed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.620238Z", + "data_component": "Host Status", + "data_source": "Sensor Health", + "description": "The Event log service was stopped.", + "event_id": "", + "id": "x-mitre-sensor-mapping--83b53e60-ed63-4968-a26b-f8431670c195", + "modified": "2023-10-27T20:54:34.620238Z", + "relationship": "Changed", + "revoked": false, + "source": "Sensor Health", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0013" + }, + { + "created": "2023-10-27T20:54:34.621239Z", + "id": "relationship--d2f8eb18-6454-45e5-b14a-fb7c58d1bd57", + "modified": "2023-10-27T20:54:34.621239Z", + "relationship_type": "Changed", + "revoked": false, + "source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6285b857-dce3-48d5-b785-9cf54a794604", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.668869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "modified": "2023-10-27T20:54:33.668869Z", + "name": "Logon Session Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.621239Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "An account was successfully logged on", + "event_id": "", + "id": "x-mitre-sensor-mapping--a8069d0d-080c-4c3b-a669-7ea01d67f55f", + "modified": "2023-10-27T20:54:34.621239Z", + "relationship": "Created Logon From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ip/Port/Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.622237Z", + "id": "relationship--3d6ce4f9-5748-4620-b916-50fccdc53897", + "modified": "2023-10-27T20:54:34.622237Z", + "relationship_type": "Created Logon From", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.623237Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "A session was reconnected to a Window Station.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ea450fc4-cda7-4547-aa1d-c6d32ffb3db7", + "modified": "2023-10-27T20:54:34.623237Z", + "relationship": "Created Logon From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ip", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.623237Z", + "id": "relationship--8652ec59-6cbd-4a6f-a8f5-bb2b220ee00d", + "modified": "2023-10-27T20:54:34.623237Z", + "relationship_type": "Created Logon From", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.625861Z", + "data_component": "Logon Session Creation", + "data_source": "Logon Session", + "description": "Special groups have been assigned to a new logon.", + "event_id": "", + "id": "x-mitre-sensor-mapping--15973cf6-638b-4183-8be0-7cdade8258c7", + "modified": "2023-10-27T20:54:34.625861Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.62786Z", + "id": "relationship--d046bc74-5801-47b7-b091-9577da5f9d84", + "modified": "2023-10-27T20:54:34.62786Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--92386085-c8b7-4050-818c-3ef9bb9bb6fb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.672871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "modified": "2023-10-27T20:54:33.672871Z", + "name": "Logon Session Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.631857Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "An authentication package has been loaded by the Local Security Authority.", + "event_id": "", + "id": "x-mitre-sensor-mapping--e2a82e8e-f8bd-4edc-96e3-ac7e21cd238f", + "modified": "2023-10-27T20:54:34.631857Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.633478Z", + "id": "relationship--e774fb1a-010d-40e5-99ba-ac2e8e653dab", + "modified": "2023-10-27T20:54:34.633478Z", + "relationship_type": "Metadata", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.634026Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "A trusted logon process has been registered with the Local Security Authority.", + "event_id": "", + "id": "x-mitre-sensor-mapping--86734b51-cfa1-4564-b2fd-081f03626e71", + "modified": "2023-10-27T20:54:34.634026Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.635009Z", + "id": "relationship--e4b29b98-2456-4b24-8577-3d993750cc6d", + "modified": "2023-10-27T20:54:34.635009Z", + "relationship_type": "Metadata", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.636011Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "A notification package has been loaded by the Security Account Manager.", + "event_id": "", + "id": "x-mitre-sensor-mapping--74ba1fe3-1407-474c-bf9e-472a05ae5fc3", + "modified": "2023-10-27T20:54:34.636011Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.636011Z", + "id": "relationship--7813c647-e737-4d3b-a6e2-11b60d7c818f", + "modified": "2023-10-27T20:54:34.636011Z", + "relationship_type": "Metadata", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.637012Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "A security package has been loaded by the Local Security Authority.", + "event_id": "", + "id": "x-mitre-sensor-mapping--58abf3cd-00de-41b5-a2f9-d3554713b424", + "modified": "2023-10-27T20:54:34.637012Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.638008Z", + "id": "relationship--1586943d-7623-4634-a6cf-2c3046f87ecf", + "modified": "2023-10-27T20:54:34.638008Z", + "relationship_type": "Metadata", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.638008Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "An account was logged off", + "event_id": "", + "id": "x-mitre-sensor-mapping--6f9650bf-b8e7-4443-b526-118954a130a3", + "modified": "2023-10-27T20:54:34.638008Z", + "relationship": "Terminated", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.639011Z", + "id": "relationship--bf56dfc4-8fcb-4fc6-b24d-8662db6a5313", + "modified": "2023-10-27T20:54:34.639011Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.640011Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "User initiated logoff.", + "event_id": "", + "id": "x-mitre-sensor-mapping--6152f292-7588-47e2-9462-5e6f5187961e", + "modified": "2023-10-27T20:54:34.640011Z", + "relationship": "Terminated", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Logon Session", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.640011Z", + "id": "relationship--acffb129-098f-4c30-9d14-72e30c446cfd", + "modified": "2023-10-27T20:54:34.640011Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.642012Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "A privileged service was called.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9e140269-21ea-42d0-bc9d-c06360ba0b44", + "modified": "2023-10-27T20:54:34.642012Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.643552Z", + "id": "relationship--b5fe866f-2c84-4417-8ba6-69317cddea14", + "modified": "2023-10-27T20:54:34.643552Z", + "relationship_type": "Metadata", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.645544Z", + "data_component": "Logon Session Metadata", + "data_source": "Logon Session", + "description": "An operation was attempted on a privileged object.", + "event_id": "", + "id": "x-mitre-sensor-mapping--424ee977-ac4d-479c-8ede-93e009b43b2f", + "modified": "2023-10-27T20:54:34.645544Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.646544Z", + "id": "relationship--bfc5d1cd-034f-491b-84a7-d1dfad6a9773", + "modified": "2023-10-27T20:54:34.646544Z", + "relationship_type": "Metadata", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--d18460b6-f9e3-441c-9005-59c51e9ee412", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.647543Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a2c52e19-78f1-4183-b738-a9c311801e2a", + "modified": "2023-10-27T20:54:34.647543Z", + "name": "Logon Session Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.648545Z", + "data_component": "Logon Session Modification", + "data_source": "Logon Session", + "description": "Special privileges assigned to new logon.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dea11216-2cc4-458c-a79d-31b991126266", + "modified": "2023-10-27T20:54:34.648545Z", + "relationship": "Modified", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.649545Z", + "id": "relationship--f81b3b76-bca9-4b4b-9140-915d07406a7a", + "modified": "2023-10-27T20:54:34.649545Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a2c52e19-78f1-4183-b738-a9c311801e2a", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.649545Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2f3228ee-695d-476c-aa4e-4bd76b759b51", + "modified": "2023-10-27T20:54:34.649545Z", + "name": "Logon Session Terminated", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.650544Z", + "data_component": "Logon Session Terminated", + "data_source": "Logon Session", + "description": "A session was disconnected from a Window Station", + "event_id": "", + "id": "x-mitre-sensor-mapping--6ae5a682-9915-40d8-a1a4-09fa941e59c1", + "modified": "2023-10-27T20:54:34.650544Z", + "relationship": "Disconnected Fom", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Host", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0028" + }, + { + "created": "2023-10-27T20:54:34.651541Z", + "id": "relationship--74b4be23-321e-4d46-ac9b-abf4c1ce6918", + "modified": "2023-10-27T20:54:34.651541Z", + "relationship_type": "Disconnected Fom", + "revoked": false, + "source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2f3228ee-695d-476c-aa4e-4bd76b759b51", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.474126Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "modified": "2023-10-27T20:54:34.474126Z", + "name": "Named Pipe Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.652542Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dc4569db-0f31-4f8c-bbd9-adb9bc9f9f1f", + "modified": "2023-10-27T20:54:34.652542Z", + "relationship": "Created", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.652542Z", + "id": "relationship--21355096-af8b-4b92-a3d9-bdeb66b4e529", + "modified": "2023-10-27T20:54:34.652542Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.653541Z", + "data_component": "Named Pipe Metadata", + "data_source": "Named Pipe", + "description": "A network share object was checked to see whether client can be granted desired access.", + "event_id": "", + "id": "x-mitre-sensor-mapping--aca16137-534f-4157-9ef6-c007a797df96", + "modified": "2023-10-27T20:54:34.653541Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Pipe", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0023" + }, + { + "created": "2023-10-27T20:54:34.653541Z", + "id": "relationship--3c2ebade-60d8-4cfd-b63e-ff1d90b055cf", + "modified": "2023-10-27T20:54:34.653541Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--221adcd5-cccf-44df-9be6-ef607a6e1c3c", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a1eae790-0019-48b4-ac25-a7d75544909f", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.478308Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "modified": "2023-10-27T20:54:34.478308Z", + "name": "Network Connection Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.654543Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Firewall Service blocked an application from accepting incoming connections on the network.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f7cb5714-055a-4899-9f6b-cf183445abe1", + "modified": "2023-10-27T20:54:34.654543Z", + "relationship": "Blocked Connection To", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.655543Z", + "id": "relationship--bb045c1e-eaac-442c-a66e-9d757a552f6c", + "modified": "2023-10-27T20:54:34.655543Z", + "relationship_type": "Blocked Connection To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.656543Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.", + "event_id": "", + "id": "x-mitre-sensor-mapping--20cc4fdb-f364-4d6f-b6af-e2bb55c41235", + "modified": "2023-10-27T20:54:34.656543Z", + "relationship": "Permitted Listener On", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Ip/Port/Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.657542Z", + "id": "relationship--39cc5fff-59d4-4da9-8b47-f06be3458823", + "modified": "2023-10-27T20:54:34.657542Z", + "relationship_type": "Permitted Listener On", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.660097Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d1dc6913-62a4-43d9-813c-b9bf2558962f", + "modified": "2023-10-27T20:54:34.660097Z", + "relationship": "Listened On", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.661099Z", + "id": "relationship--b4625350-5192-447e-b5c0-945c0b80281c", + "modified": "2023-10-27T20:54:34.661099Z", + "relationship_type": "Listened On", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.662093Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.", + "event_id": "", + "id": "x-mitre-sensor-mapping--808cef8c-0de3-4efa-89e7-aee2c5721d9b", + "modified": "2023-10-27T20:54:34.662093Z", + "relationship": "Blocked Listener To", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Ip/Port/Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.663093Z", + "id": "relationship--78653e7c-66dd-4b89-849d-314f52758f80", + "modified": "2023-10-27T20:54:34.663093Z", + "relationship_type": "Blocked Listener To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.664092Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d638a70c-1aaa-4abf-83d6-c62d5ebfe7ff", + "modified": "2023-10-27T20:54:34.664092Z", + "relationship": "Attempted To Listen On", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.665095Z", + "id": "relationship--f06cece0-54f5-4bf9-9446-f542118ea845", + "modified": "2023-10-27T20:54:34.665095Z", + "relationship_type": "Attempted To Listen On", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.666109Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has permitted a connection.", + "event_id": "", + "id": "x-mitre-sensor-mapping--317196bb-6b3e-45df-8467-52d65797ad41", + "modified": "2023-10-27T20:54:34.666109Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Ip/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.667092Z", + "id": "relationship--b6a97e00-2c09-4933-b705-0158b47a4b7f", + "modified": "2023-10-27T20:54:34.667092Z", + "relationship_type": "Connected To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.667092Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked a connection.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9e9e7531-4a45-4028-a198-2a5d5bfc9219", + "modified": "2023-10-27T20:54:34.667092Z", + "relationship": "Attempted Connection To/From", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Ip/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.668091Z", + "id": "relationship--d8ab307d-3572-4b16-8e96-e661bb60bc8e", + "modified": "2023-10-27T20:54:34.668091Z", + "relationship_type": "Attempted Connection To/From", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.669091Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked a connection.", + "event_id": "", + "id": "x-mitre-sensor-mapping--01c5c58a-3857-4744-afd2-955abfe3ec51", + "modified": "2023-10-27T20:54:34.669091Z", + "relationship": "Blocked Connection To", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Process/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.669091Z", + "id": "relationship--f346479d-beec-467d-9cb7-74ea50080fbd", + "modified": "2023-10-27T20:54:34.669091Z", + "relationship_type": "Blocked Connection To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.670093Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has permitted a bind to a local port.", + "event_id": "", + "id": "x-mitre-sensor-mapping--7883811a-89f3-426b-b68e-2ff500541bc0", + "modified": "2023-10-27T20:54:34.670093Z", + "relationship": "Bound To", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.671096Z", + "id": "relationship--23fc597a-0d33-4ba8-873f-44f9311f0630", + "modified": "2023-10-27T20:54:34.671096Z", + "relationship_type": "Bound To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.671096Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked a bind to a local port.", + "event_id": "", + "id": "x-mitre-sensor-mapping--60e33079-1834-45ce-a923-ecc7846d63f5", + "modified": "2023-10-27T20:54:34.671096Z", + "relationship": "Blocked Port Bind On", + "revoked": false, + "source": "Device", + "spec_version": "2.1", + "target": "Ip/Port/Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.672096Z", + "id": "relationship--1d428498-89c5-4882-aa67-fa03f6a521a3", + "modified": "2023-10-27T20:54:34.672096Z", + "relationship_type": "Blocked Port Bind On", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.673095Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "The Windows Filtering Platform has blocked a bind to a local port.", + "event_id": "", + "id": "x-mitre-sensor-mapping--35442ebd-821e-4db5-89c0-c23809bc5f36", + "modified": "2023-10-27T20:54:34.673095Z", + "relationship": "Attempted To Bind On", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.674092Z", + "id": "relationship--35541dd0-1586-4107-beaa-d7c699bee903", + "modified": "2023-10-27T20:54:34.674092Z", + "relationship_type": "Attempted To Bind On", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.352744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "modified": "2023-10-27T20:54:34.352744Z", + "name": "Network Share Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.675095Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "A network share object was accessed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--c0763b06-c5d3-4a9c-9b49-ea62040ec469", + "modified": "2023-10-27T20:54:34.675095Z", + "relationship": "Attempted To Access", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.676096Z", + "id": "relationship--36b63a6e-70fe-4a00-a5d0-1e7b62eb380e", + "modified": "2023-10-27T20:54:34.676096Z", + "relationship_type": "Attempted To Access", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.677092Z", + "data_component": "Network Share Access", + "data_source": "Network Share", + "description": "A network share object was checked to see whether client can be granted desired access.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ad97544a-05dc-47c7-b6e1-fb69c84c6526", + "modified": "2023-10-27T20:54:34.677092Z", + "relationship": "Attempted To Access", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.677092Z", + "id": "relationship--9806bb2a-faec-4831-bad5-d43f4a351054", + "modified": "2023-10-27T20:54:34.677092Z", + "relationship_type": "Attempted To Access", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--728e85bc-3e56-41e9-8100-e8fd8d82abc6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.678095Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--37538723-57a7-47eb-a6be-fc5116c2383b", + "modified": "2023-10-27T20:54:34.678095Z", + "name": "Network Share Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.679093Z", + "data_component": "Network Share Creation", + "data_source": "Network Share", + "description": "A network share object was added.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dc7464d2-3cb0-40f6-97e7-062ed0ca2e7d", + "modified": "2023-10-27T20:54:34.679093Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.679093Z", + "id": "relationship--da477ecc-bf0e-4248-a77e-9713d711975c", + "modified": "2023-10-27T20:54:34.679093Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--37538723-57a7-47eb-a6be-fc5116c2383b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.680095Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--2c0938b4-a521-424e-a923-a6c629a3fd06", + "modified": "2023-10-27T20:54:34.680095Z", + "name": "Network Share Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.680095Z", + "data_component": "Network Share Deletion", + "data_source": "Network Share", + "description": "A network share object was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--38cacfeb-ce28-414b-8ee2-39cf5450236d", + "modified": "2023-10-27T20:54:34.680095Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.681094Z", + "id": "relationship--8cdb0f55-c5fe-4bbe-a7f3-6315a0f258a0", + "modified": "2023-10-27T20:54:34.681094Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--2c0938b4-a521-424e-a923-a6c629a3fd06", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.681094Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--49259d6f-96c8-43d0-ab15-af6024b48086", + "modified": "2023-10-27T20:54:34.681094Z", + "name": "Network Share Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.682097Z", + "data_component": "Network Share Modification", + "data_source": "Network Share", + "description": "A network share object was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--b9b84ba9-4882-4c9b-9457-0943575ad58f", + "modified": "2023-10-27T20:54:34.682097Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Network Share", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0033" + }, + { + "created": "2023-10-27T20:54:34.683107Z", + "id": "relationship--9d4341f7-8350-466a-b9b4-3b7a3fe2f412", + "modified": "2023-10-27T20:54:34.683107Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--49259d6f-96c8-43d0-ab15-af6024b48086", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.681873Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "modified": "2023-10-27T20:54:33.681873Z", + "name": "Process Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.684091Z", + "data_component": "Process Access", + "data_source": "Process", + "description": "A handle to an object was requested", + "event_id": "", + "id": "x-mitre-sensor-mapping--994e9c11-3d25-4826-84e6-6ea185fde214", + "modified": "2023-10-27T20:54:34.684091Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.684091Z", + "id": "relationship--276ea5d0-2f1e-46fc-a2a0-5c1eba26d012", + "modified": "2023-10-27T20:54:34.684091Z", + "relationship_type": "Requested Access To", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.685094Z", + "data_component": "Process Access", + "data_source": "Process", + "description": "An attempt was made to access an object", + "event_id": "", + "id": "x-mitre-sensor-mapping--1b8b6ba1-c013-42ae-9e11-2908774ea252", + "modified": "2023-10-27T20:54:34.685094Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.686091Z", + "id": "relationship--ebcc2c3f-8f6f-4f44-a15d-bb78a2c8e9fa", + "modified": "2023-10-27T20:54:34.686091Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--12fb7e95-8224-492c-b5e7-80903a6c8bfa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.684869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "modified": "2023-10-27T20:54:33.684869Z", + "name": "Process Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.686091Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "Program execution. When you start a program you are creating a process that stays open until the program ends", + "event_id": "", + "id": "x-mitre-sensor-mapping--d4fb43d0-372d-4fb5-81fa-600b6c7fd205", + "modified": "2023-10-27T20:54:34.686091Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.687092Z", + "id": "relationship--aa70f171-5fb8-41ca-84af-0ac356b67ab7", + "modified": "2023-10-27T20:54:34.687092Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.688105Z", + "data_component": "Process Creation", + "data_source": "Process", + "description": "A primary token was assigned to process. The assigning process fields identifies the process that started the child (new) process", + "event_id": "", + "id": "x-mitre-sensor-mapping--6e92a629-f8db-4949-9e5b-c51482d632c4", + "modified": "2023-10-27T20:54:34.688105Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.689646Z", + "id": "relationship--90303827-f339-4ea1-9e7b-215ccb664f4c", + "modified": "2023-10-27T20:54:34.689646Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--3f2b47dd-48ea-4d68-9521-a8f7f56a4180", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.687867Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--52a9b19a-9dcc-4eef-aff3-58d3e4523ceb", + "modified": "2023-10-27T20:54:33.687867Z", + "name": "Process Termination", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.690653Z", + "data_component": "Process Termination", + "data_source": "Process", + "description": "A process has exited.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4aae9b9f-ebec-42e4-8efd-e3f93f1fce80", + "modified": "2023-10-27T20:54:34.690653Z", + "relationship": "Terminated", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Process", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0009" + }, + { + "created": "2023-10-27T20:54:34.690653Z", + "id": "relationship--52e35216-0242-4627-8229-c337df77661a", + "modified": "2023-10-27T20:54:34.690653Z", + "relationship_type": "Terminated", + "revoked": false, + "source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--52a9b19a-9dcc-4eef-aff3-58d3e4523ceb", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.69164Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--de9af4b8-5e67-4b8b-bc53-89a130ae71f0", + "modified": "2023-10-27T20:54:34.69164Z", + "name": "Scheduled Job Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.692641Z", + "data_component": "Scheduled Job Creation", + "data_source": "Scheduled Job", + "description": "A scheduled task was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d4eb6375-3fc8-4763-ac0b-d6eacd58ddde", + "modified": "2023-10-27T20:54:34.692641Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.692641Z", + "id": "relationship--d32b02c1-855c-4b73-90a8-327692b988cd", + "modified": "2023-10-27T20:54:34.692641Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--de9af4b8-5e67-4b8b-bc53-89a130ae71f0", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.692641Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--a7d0f588-a51d-40d4-9dc8-22a2500e4709", + "modified": "2023-10-27T20:54:34.692641Z", + "name": "Scheduled Job Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.693653Z", + "data_component": "Scheduled Job Deletion", + "data_source": "Scheduled Job", + "description": "A scheduled task was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--68df0a15-a726-4b08-ac4b-34825d614220", + "modified": "2023-10-27T20:54:34.693653Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.69464Z", + "id": "relationship--704267da-0794-4660-9c69-e8fafcacf8ec", + "modified": "2023-10-27T20:54:34.69464Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--a7d0f588-a51d-40d4-9dc8-22a2500e4709", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.69464Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--51be98e7-45b6-40cb-86d3-0daf71ebad7e", + "modified": "2023-10-27T20:54:34.69464Z", + "name": "Scheduled Job Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.695642Z", + "data_component": "Scheduled Job Modification", + "data_source": "Scheduled Job", + "description": "A scheduled task was enabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--519983d9-918f-43d9-8ce4-69c222983f1a", + "modified": "2023-10-27T20:54:34.695642Z", + "relationship": "Enabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.696656Z", + "id": "relationship--3b2298f2-ee9f-47af-bb72-c5a8d3f36a73", + "modified": "2023-10-27T20:54:34.696656Z", + "relationship_type": "Enabled", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--51be98e7-45b6-40cb-86d3-0daf71ebad7e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.697655Z", + "data_component": "Scheduled Job Modification", + "data_source": "Scheduled Job", + "description": "A scheduled task was disabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--93d81310-8e48-442d-bf36-93c9afeb4066", + "modified": "2023-10-27T20:54:34.697655Z", + "relationship": "Disabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.698655Z", + "id": "relationship--c1a0f990-33c9-41db-8095-c12fcd7748f1", + "modified": "2023-10-27T20:54:34.698655Z", + "relationship_type": "Disabled", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--51be98e7-45b6-40cb-86d3-0daf71ebad7e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.699642Z", + "data_component": "Scheduled Job Modification", + "data_source": "Scheduled Job", + "description": "A scheduled task was updated.", + "event_id": "", + "id": "x-mitre-sensor-mapping--4bf8f1f3-37c8-4fb0-af68-039a38f1ac82", + "modified": "2023-10-27T20:54:34.699642Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Scheduled Job", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0003" + }, + { + "created": "2023-10-27T20:54:34.699642Z", + "id": "relationship--d3f8a338-aeeb-46e7-a77d-0ef3df686075", + "modified": "2023-10-27T20:54:34.699642Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--51be98e7-45b6-40cb-86d3-0daf71ebad7e", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.41011Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--addbbfdc-b803-4934-a50a-f1dca0787274", + "modified": "2023-10-27T20:54:34.41011Z", + "name": "Script Execution", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.700641Z", + "data_component": "Script Execution", + "data_source": "Script", + "description": "Module logging.", + "event_id": "", + "id": "x-mitre-sensor-mapping--be77c162-ac3e-46e1-8967-57ba0e1fb964", + "modified": "2023-10-27T20:54:34.700641Z", + "relationship": "Executed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Script", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0012" + }, + { + "created": "2023-10-27T20:54:34.701641Z", + "id": "relationship--e9e9a70b-ee14-41a5-9fee-7741437624a0", + "modified": "2023-10-27T20:54:34.701641Z", + "relationship_type": "Executed", + "revoked": false, + "source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--addbbfdc-b803-4934-a50a-f1dca0787274", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.701641Z", + "data_component": "Script Execution", + "data_source": "Script", + "description": "Script Block Logging.", + "event_id": "", + "id": "x-mitre-sensor-mapping--565947ca-0d3a-45f2-96df-2d7c4dde8a1a", + "modified": "2023-10-27T20:54:34.701641Z", + "relationship": "Executed", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Script", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0012" + }, + { + "created": "2023-10-27T20:54:34.70264Z", + "id": "relationship--4a109cf4-3174-4ad8-8af7-15c79f767654", + "modified": "2023-10-27T20:54:34.70264Z", + "relationship_type": "Executed", + "revoked": false, + "source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--addbbfdc-b803-4934-a50a-f1dca0787274", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.690869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--97e54b9b-0b7f-4b98-8672-e06e407c0b48", + "modified": "2023-10-27T20:54:33.690869Z", + "name": "Service Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.704645Z", + "data_component": "Service Access", + "data_source": "Service", + "description": "A handle to an object was requested.", + "event_id": "", + "id": "x-mitre-sensor-mapping--87b2918f-a699-4a50-bd65-cd2ab5cc8619", + "modified": "2023-10-27T20:54:34.704645Z", + "relationship": "Requested Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.705648Z", + "id": "relationship--f35cc7b7-4aa6-4de1-bde1-72fafec945da", + "modified": "2023-10-27T20:54:34.705648Z", + "relationship_type": "Requested Access To", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--97e54b9b-0b7f-4b98-8672-e06e407c0b48", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.692869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e35fe7ee-5a6d-47c5-9505-7faed979e3d5", + "modified": "2023-10-27T20:54:33.692869Z", + "name": "Service Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.70665Z", + "data_component": "Service Creation", + "data_source": "Service", + "description": "A service was installed in the system.", + "event_id": "", + "id": "x-mitre-sensor-mapping--7c517e66-82c1-45e3-9f5b-e7dad465f62c", + "modified": "2023-10-27T20:54:34.70665Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Service", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.707644Z", + "id": "relationship--efe9e0b8-97a4-40db-9ae8-d5430dfbf499", + "modified": "2023-10-27T20:54:34.707644Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e35fe7ee-5a6d-47c5-9505-7faed979e3d5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.69607Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "modified": "2023-10-27T20:54:33.69607Z", + "name": "Service Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.709658Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "The Event log service was started.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ce94aebb-f40b-40ce-812d-54b84ee7b7cc", + "modified": "2023-10-27T20:54:34.709658Z", + "relationship": "Started", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.709658Z", + "id": "relationship--bfb129f3-7fc6-4cd0-bcad-f04e637d952b", + "modified": "2023-10-27T20:54:34.709658Z", + "relationship_type": "Started", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.71166Z", + "data_component": "Service Metadata", + "data_source": "Service", + "description": "The Event log service was stopped.", + "event_id": "", + "id": "x-mitre-sensor-mapping--95cf6ea5-3ae1-414a-b1af-d18367fd58ff", + "modified": "2023-10-27T20:54:34.71166Z", + "relationship": "Stopped", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0019" + }, + { + "created": "2023-10-27T20:54:34.712738Z", + "id": "relationship--a5d2783f-c814-4dff-ba0b-6f6cfe8c42cc", + "modified": "2023-10-27T20:54:34.712738Z", + "relationship_type": "Stopped", + "revoked": false, + "source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--ba1aab5b-4d7e-4ab1-be22-02829cb50b02", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.726922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "modified": "2023-10-27T20:54:33.726922Z", + "name": "User Account Authentication", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.714648Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "A logon was attempted using explicit credentials.", + "event_id": "", + "id": "x-mitre-sensor-mapping--73a40ddb-4ce3-45cc-81d6-2bf648dea01c", + "modified": "2023-10-27T20:54:34.714648Z", + "relationship": "Attempted To Authenticate From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ip/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.714648Z", + "id": "relationship--23459032-46c5-4542-83a7-b89d7e298134", + "modified": "2023-10-27T20:54:34.714648Z", + "relationship_type": "Attempted To Authenticate From", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.715723Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "The computer attempted to validate the credentials for an account", + "event_id": "", + "id": "x-mitre-sensor-mapping--6f4a7dc6-7092-4b60-8974-847a41c21516", + "modified": "2023-10-27T20:54:34.715723Z", + "relationship": "Authenticated From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Device", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.716732Z", + "id": "relationship--211338f2-a18e-42f6-b0c1-3ad54bbd7384", + "modified": "2023-10-27T20:54:34.716732Z", + "relationship_type": "Authenticated From", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.717655Z", + "data_component": "User Account Authentication", + "data_source": "User Account", + "description": "An account failed to log on", + "event_id": "", + "id": "x-mitre-sensor-mapping--410e240d-2e6b-4eae-8821-d353980de72d", + "modified": "2023-10-27T20:54:34.717655Z", + "relationship": "Attempted To Authenticate From", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "Ip/Port", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.717655Z", + "id": "relationship--c045ab2b-50ee-4622-a90b-b7a05627d1c1", + "modified": "2023-10-27T20:54:34.717655Z", + "relationship_type": "Attempted To Authenticate From", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--6cfb87c0-a408-4eff-9d70-13e22cb6dff1", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.739931Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "modified": "2023-10-27T20:54:33.739931Z", + "name": "User Account Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.718724Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "A user account was created", + "event_id": "", + "id": "x-mitre-sensor-mapping--b4ba2c18-adf5-430c-87df-c1b1c80bae94", + "modified": "2023-10-27T20:54:34.718724Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.719727Z", + "id": "relationship--cc10ddba-6cbb-4105-b00b-0587939b04dd", + "modified": "2023-10-27T20:54:34.719727Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.720708Z", + "data_component": "User Account Creation", + "data_source": "User Account", + "description": "A computer account was created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--cd79bb3a-e513-4c11-977d-1ca04f84e9bb", + "modified": "2023-10-27T20:54:34.720708Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.720708Z", + "id": "relationship--d3c86bd4-4d95-41a2-a665-8c50cf799ad6", + "modified": "2023-10-27T20:54:34.720708Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--be7737ce-20f6-4e85-bce9-db8724887202", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.743925Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "modified": "2023-10-27T20:54:33.743925Z", + "name": "User Account Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.721726Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "A user account was deleted", + "event_id": "", + "id": "x-mitre-sensor-mapping--0a5c3f03-c736-42a9-b043-bc591bc1aca0", + "modified": "2023-10-27T20:54:34.721726Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.722731Z", + "id": "relationship--e8c9efa7-efa3-47fc-baf4-482370cb5ab7", + "modified": "2023-10-27T20:54:34.722731Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.723725Z", + "data_component": "User Account Deletion", + "data_source": "User Account", + "description": "A computer account was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--e7501fc3-b60d-4fa0-b357-341b868a4b49", + "modified": "2023-10-27T20:54:34.723725Z", + "relationship": "Deleted", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.723725Z", + "id": "relationship--19b3f3f2-2b2a-40d5-b172-bf8a0808cc0a", + "modified": "2023-10-27T20:54:34.723725Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f4f9f920-0400-4320-9fe7-df248ea72a3b", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.757924Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "modified": "2023-10-27T20:54:33.757924Z", + "name": "User Account Metadata", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.725641Z", + "data_component": "User Account Metadata", + "data_source": "User Account", + "description": "An operation was attempted on a privileged object", + "event_id": "", + "id": "x-mitre-sensor-mapping--b4854a02-a8e2-462b-9df5-450000d2a1bf", + "modified": "2023-10-27T20:54:34.725641Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "User Privileges", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.725641Z", + "id": "relationship--e7bc6c90-ce0c-43a5-9608-3091278e3a5e", + "modified": "2023-10-27T20:54:34.725641Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--99a28fca-17ab-4bfa-8d7f-6e59954a5049", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.762922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "modified": "2023-10-27T20:54:33.762922Z", + "name": "User Account Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.726697Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user right was adjusted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--fcfae151-327c-4a79-a856-588a4f8ab4a1", + "modified": "2023-10-27T20:54:34.726697Z", + "relationship": "Metadata", + "revoked": false, + "source": "Logon", + "spec_version": "2.1", + "target": "", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.727654Z", + "id": "relationship--c4fae073-37bb-44be-aa2c-f1e38f02d733", + "modified": "2023-10-27T20:54:34.727654Z", + "relationship_type": "Metadata", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.728655Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "System security access was granted to an account.", + "event_id": "", + "id": "x-mitre-sensor-mapping--9192d4f4-a4b8-4078-8854-441db3e789b7", + "modified": "2023-10-27T20:54:34.728655Z", + "relationship": "Granted Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.728655Z", + "id": "relationship--d90325a4-a6a8-401d-84cd-d57fdc0df49d", + "modified": "2023-10-27T20:54:34.728655Z", + "relationship_type": "Granted Access To", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.730663Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "System security access was removed from an account.", + "event_id": "", + "id": "x-mitre-sensor-mapping--ffb811be-2c92-43fe-a609-621dc33f5f66", + "modified": "2023-10-27T20:54:34.730663Z", + "relationship": "Removed Access To", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.730663Z", + "id": "relationship--78b6c4bf-6963-42e0-9bf0-b0a59787f22b", + "modified": "2023-10-27T20:54:34.730663Z", + "relationship_type": "Removed Access To", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.731658Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was enabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--d8f4a209-0869-44b7-9bfd-c06903230d1c", + "modified": "2023-10-27T20:54:34.731658Z", + "relationship": "Enabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.732648Z", + "id": "relationship--869809cb-e670-4f03-86cc-c8ea12db2a46", + "modified": "2023-10-27T20:54:34.732648Z", + "relationship_type": "Enabled", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.733647Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "An attempt was made to change an account's password.", + "event_id": "", + "id": "x-mitre-sensor-mapping--855aff4d-b4fe-4d3c-8df0-014efa14774a", + "modified": "2023-10-27T20:54:34.733647Z", + "relationship": "Attempted To Modify", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.734646Z", + "id": "relationship--911b1017-d89d-45ad-93dd-bf008e064b2a", + "modified": "2023-10-27T20:54:34.734646Z", + "relationship_type": "Attempted To Modify", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.73565Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "An attempt was made to reset an account's password", + "event_id": "", + "id": "x-mitre-sensor-mapping--7c8505e1-32d7-4dcb-8fb8-50c240d6b435", + "modified": "2023-10-27T20:54:34.73565Z", + "relationship": "Attempted To Modify", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.73565Z", + "id": "relationship--ce537272-0275-4231-b28b-80c30f2e9aa4", + "modified": "2023-10-27T20:54:34.73565Z", + "relationship_type": "Attempted To Modify", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.737643Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was disabled.", + "event_id": "", + "id": "x-mitre-sensor-mapping--25dadb52-d682-40bf-aea3-ffc85414c0bb", + "modified": "2023-10-27T20:54:34.737643Z", + "relationship": "Disabled", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.738658Z", + "id": "relationship--bb1461d0-bc00-4287-bbd7-ec74181e02a3", + "modified": "2023-10-27T20:54:34.738658Z", + "relationship_type": "Disabled", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.739732Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--8f6d37f1-396c-47e3-a7bb-6ca1ba19a6be", + "modified": "2023-10-27T20:54:34.739732Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.739732Z", + "id": "relationship--79601852-4638-4a70-a3e3-d8bc9987be09", + "modified": "2023-10-27T20:54:34.739732Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.740729Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was locked out.", + "event_id": "", + "id": "x-mitre-sensor-mapping--27ecc59a-e060-48f0-8e28-83d8a495f4b3", + "modified": "2023-10-27T20:54:34.740729Z", + "relationship": "Locked", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.741645Z", + "id": "relationship--2f5accb9-03df-4f4b-addd-a40b3dd14935", + "modified": "2023-10-27T20:54:34.741645Z", + "relationship_type": "Locked", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.742647Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A computer account was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--6e635ed3-12ba-4ba6-8980-6887945d0591", + "modified": "2023-10-27T20:54:34.742647Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.743759Z", + "id": "relationship--5fa33adb-ef2e-4578-a9e6-d8df499d57c6", + "modified": "2023-10-27T20:54:34.743759Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.744775Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "A user account was unlocked.", + "event_id": "", + "id": "x-mitre-sensor-mapping--be1540fe-06c7-4057-85e3-6767f8fe1be2", + "modified": "2023-10-27T20:54:34.744775Z", + "relationship": "Unlocked", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.744775Z", + "id": "relationship--8a9e543a-d9be-4d9f-82d0-e217e09f7f49", + "modified": "2023-10-27T20:54:34.744775Z", + "relationship_type": "Unlocked", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.745834Z", + "data_component": "User Account Modification", + "data_source": "User Account", + "description": "The name of an account was changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--0fb4b9ef-bd1e-4d49-b62e-b66e894e8674", + "modified": "2023-10-27T20:54:34.745834Z", + "relationship": "Modified", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "User Account", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0002" + }, + { + "created": "2023-10-27T20:54:34.746876Z", + "id": "relationship--4b6919cc-b615-45cd-8c34-274dee511ae0", + "modified": "2023-10-27T20:54:34.746876Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--fd2cafd4-e2d1-40ee-911e-fed7708959c5", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.430042Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "modified": "2023-10-27T20:54:34.430042Z", + "name": "Windows Registry Key Access", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.74786Z", + "data_component": "Windows Registry Key Access", + "data_source": "Windows Registry", + "description": "An attempt was made to access an object", + "event_id": "", + "id": "x-mitre-sensor-mapping--a40054e1-91dc-4bb0-a142-34e86368b26d", + "modified": "2023-10-27T20:54:34.74786Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.74786Z", + "id": "relationship--f7956014-5109-45c1-9b96-f0b10c1b0f2a", + "modified": "2023-10-27T20:54:34.74786Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--af125c05-c90c-4c2f-9046-da21d0e221e8", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.489047Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--7fa1ea2a-ef03-4797-b4da-ded7431b03a6", + "modified": "2023-10-27T20:54:34.489047Z", + "name": "Windows Registry Key Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.749927Z", + "data_component": "Windows Registry Key Creation", + "data_source": "Windows Registry", + "description": "A registry value was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--5d29cd0b-7115-4e9b-8412-073974118f87", + "modified": "2023-10-27T20:54:34.749927Z", + "relationship": "Created", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.750847Z", + "id": "relationship--73aaf028-c2d6-4ac9-85af-ac6c7a1aaa90", + "modified": "2023-10-27T20:54:34.750847Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--7fa1ea2a-ef03-4797-b4da-ded7431b03a6", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.491088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--bd62e695-7bf5-4d81-880b-c63f30635156", + "modified": "2023-10-27T20:54:34.491088Z", + "name": "Windows Registry Key Deletion", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.751852Z", + "data_component": "Windows Registry Key Deletion", + "data_source": "Windows Registry", + "description": "A registry value was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--dab61b4b-d4a3-4fda-a98e-ef63d54cbc7e", + "modified": "2023-10-27T20:54:34.751852Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.751852Z", + "id": "relationship--8e837a06-c2f0-4f9f-8906-e62f95ab1566", + "modified": "2023-10-27T20:54:34.751852Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--bd62e695-7bf5-4d81-880b-c63f30635156", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.753689Z", + "data_component": "Windows Registry Key Deletion", + "data_source": "Windows Registry", + "description": "An object was deleted.", + "event_id": "", + "id": "x-mitre-sensor-mapping--0fe79cfc-2ccb-4413-b16a-42228bb5a2c7", + "modified": "2023-10-27T20:54:34.753689Z", + "relationship": "Deleted", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.754227Z", + "id": "relationship--ac3423d8-792e-4f47-9c73-7670dcdbb3e4", + "modified": "2023-10-27T20:54:34.754227Z", + "relationship_type": "Deleted", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--bd62e695-7bf5-4d81-880b-c63f30635156", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.493081Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--f23ad5d9-1cb0-41a0-bfb8-fcda53887dfc", + "modified": "2023-10-27T20:54:34.493081Z", + "name": "Windows Registry Key Modification", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.755229Z", + "data_component": "Windows Registry Key Modification", + "data_source": "Windows Registry", + "description": "A registry value was modified.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f3f0b5e0-6ae3-45e0-af38-76361ecee18a", + "modified": "2023-10-27T20:54:34.755229Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Registry", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.755229Z", + "id": "relationship--4a087d31-b673-4f12-8830-fe67566e3068", + "modified": "2023-10-27T20:54:34.755229Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f23ad5d9-1cb0-41a0-bfb8-fcda53887dfc", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.756312Z", + "data_component": "Windows Registry Key Modification", + "data_source": "Windows Registry", + "description": "Permissions on an object were changed.", + "event_id": "", + "id": "x-mitre-sensor-mapping--1694e3c0-cd76-49f9-a007-9c20cdb855cb", + "modified": "2023-10-27T20:54:34.756312Z", + "relationship": "Modified", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "File", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0024" + }, + { + "created": "2023-10-27T20:54:34.757306Z", + "id": "relationship--21deb6cf-ba81-42a1-9ef5-93e0b7767395", + "modified": "2023-10-27T20:54:34.757306Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--f23ad5d9-1cb0-41a0-bfb8-fcda53887dfc", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.437411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "modified": "2023-10-27T20:54:34.437411Z", + "name": "WMI Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.757306Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMIProv provider started.", + "event_id": "", + "id": "x-mitre-sensor-mapping--eb1171b4-6268-4d16-b5a3-3ab197501c8e", + "modified": "2023-10-27T20:54:34.757306Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.758828Z", + "id": "relationship--0f8cdae5-2dfd-40b0-9c8f-e16877cc50fe", + "modified": "2023-10-27T20:54:34.758828Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.75988Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI Query Error.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f9a5682d-31bd-4e05-877f-d17edb3ef379", + "modified": "2023-10-27T20:54:34.75988Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.760842Z", + "id": "relationship--98558194-179f-4243-b6a8-e654a753fb45", + "modified": "2023-10-27T20:54:34.760842Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.762518Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI Event.", + "event_id": "", + "id": "x-mitre-sensor-mapping--03d02b73-b89c-4013-a6cc-ba57a552196b", + "modified": "2023-10-27T20:54:34.762518Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.763387Z", + "id": "relationship--be7e0e6c-f93c-48ab-aee3-2186bc58b0c6", + "modified": "2023-10-27T20:54:34.763387Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.764033Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI temporary event created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--f1433855-fca8-4e8a-9546-48ef359b0a63", + "modified": "2023-10-27T20:54:34.764033Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.765004Z", + "id": "relationship--9710d562-85a3-4365-9eed-89f4e6a8f42d", + "modified": "2023-10-27T20:54:34.765004Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.766193Z", + "data_component": "WMI Creation", + "data_source": "WMI", + "description": "WMI permanent event created.", + "event_id": "", + "id": "x-mitre-sensor-mapping--bde104e3-27c1-4e84-a3db-9ab5ffff94da", + "modified": "2023-10-27T20:54:34.766193Z", + "relationship": "Created", + "revoked": false, + "source": "User", + "spec_version": "2.1", + "target": "WMI Object", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0005" + }, + { + "created": "2023-10-27T20:54:34.767108Z", + "id": "relationship--ee84f218-fe89-4f72-a73e-246b6c61dba4", + "modified": "2023-10-27T20:54:34.767108Z", + "relationship_type": "Created", + "revoked": false, + "source_ref": "x-mitre-data-source--2cd6cc81-d86e-4595-a4f0-43f5519f14e6", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--b4d4ef94-4140-4a7d-9e25-4e60a278104d", + "type": "relationship" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/mappings/stix/enterprise/Zeek-mappings-enterprise.json b/mappings/stix/enterprise/Zeek-mappings-enterprise.json new file mode 100644 index 0000000..c92b8e9 --- /dev/null +++ b/mappings/stix/enterprise/Zeek-mappings-enterprise.json @@ -0,0 +1,6168 @@ +{ + "id": "bundle--9503ca3c-2c7b-4f55-a24b-659c52a160ec", + "objects": [ + { + "created": "2023-10-27T20:54:34.478308Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "modified": "2023-10-27T20:54:34.478308Z", + "name": "Network Connection Creation", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.797272Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for NTLM messages of type authenticate.", + "event_id": "ntlm_authenticate", + "id": "x-mitre-sensor-mapping--e955996d-7720-45bd-bd74-04c10f68889b", + "modified": "2023-10-27T20:54:34.797272Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ntlm", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.798292Z", + "id": "relationship--33bcaa84-c94b-42a1-b854-c5006c299890", + "modified": "2023-10-27T20:54:34.798292Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.799311Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for NTLM messages of type challenge.", + "event_id": "ntlm_challenge", + "id": "x-mitre-sensor-mapping--fbb31ca9-ad6a-4f0e-bada-8e9851e3e42d", + "modified": "2023-10-27T20:54:34.799311Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Ntlm", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.799311Z", + "id": "relationship--030ed77c-0eac-4284-8f51-dcf6d04108be", + "modified": "2023-10-27T20:54:34.799311Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.800341Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for successful authentications on POP3 connections.", + "event_id": "pop3_login_success", + "id": "x-mitre-sensor-mapping--f6e7333d-e649-486b-8f07-24887ac12a27", + "modified": "2023-10-27T20:54:34.800341Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.800341Z", + "id": "relationship--9dfee10b-b524-4713-b91e-3ee808a39800", + "modified": "2023-10-27T20:54:34.800341Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.801335Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated when RDPEUDP connections are established (both sides SYN)", + "event_id": "rdpeudp_established", + "id": "x-mitre-sensor-mapping--b5e4acb7-934d-4955-9dca-db85f1f58381", + "modified": "2023-10-27T20:54:34.801335Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.801335Z", + "id": "relationship--6fad490b-4c6b-4dfc-b369-99813c162b56", + "modified": "2023-10-27T20:54:34.801335Z", + "relationship_type": "Connected To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.801335Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for RDPEUDP SYN UDP Datagram", + "event_id": "rdpeudp_syn", + "id": "x-mitre-sensor-mapping--10b7a00c-2c27-4db2-b6db-4a0f469e2463", + "modified": "2023-10-27T20:54:34.801335Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.802349Z", + "id": "relationship--4994290a-6b1a-4ae6-bf71-6027136f0ae4", + "modified": "2023-10-27T20:54:34.802349Z", + "relationship_type": "Connected To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.802349Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for RDPEUDP SYNACK UDP Datagram", + "event_id": "rdpeudp_synack", + "id": "x-mitre-sensor-mapping--5ac4c92f-31f1-462f-a0b1-2b65976a78e3", + "modified": "2023-10-27T20:54:34.802349Z", + "relationship": "Connected To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.80358Z", + "id": "relationship--eadfb72c-a6bd-47b1-9983-7494e7f4231e", + "modified": "2023-10-27T20:54:34.80358Z", + "relationship_type": "Connected To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.804573Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated when a SOCKS server replies to a username/password login attempt.", + "event_id": "socks_login_userpass_reply", + "id": "x-mitre-sensor-mapping--20136b1b-980b-4fad-886c-ff8521bfc658", + "modified": "2023-10-27T20:54:34.804573Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Socks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.804573Z", + "id": "relationship--e50114ce-5b63-4894-8ecb-9e89281e2521", + "modified": "2023-10-27T20:54:34.804573Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.80538Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated when a SOCKS client performs username and password based login.", + "event_id": "socks_login_userpass_request", + "id": "x-mitre-sensor-mapping--5272bf98-d7a7-4538-bbeb-a3f7e1274616", + "modified": "2023-10-27T20:54:34.80538Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Socks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.80538Z", + "id": "relationship--f72615b1-9eeb-4257-930e-d3dac7f0a49d", + "modified": "2023-10-27T20:54:34.80538Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.805923Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method.", + "event_id": "ssh2_dh_server_params", + "id": "x-mitre-sensor-mapping--c940feb1-1be4-4147-b5da-577514e239c0", + "modified": "2023-10-27T20:54:34.805923Z", + "relationship": "Connected Through", + "revoked": false, + "source": "", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.805923Z", + "id": "relationship--3210b203-1b96-4390-868b-ba1f8b96425b", + "modified": "2023-10-27T20:54:34.805923Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.806932Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for an SSL/TLS client’s initial hello message.", + "event_id": "ssl_client_hello", + "id": "x-mitre-sensor-mapping--9297ae11-0a2e-48b8-944f-82e40e05296b", + "modified": "2023-10-27T20:54:34.806932Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.806932Z", + "id": "relationship--7c5609b3-0c1b-4906-853a-852ee110302c", + "modified": "2023-10-27T20:54:34.806932Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.807928Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated at the end of an SSL/TLS handshake.", + "event_id": "ssl_established", + "id": "x-mitre-sensor-mapping--f6e09926-0b5b-44cc-88c8-b703668478c6", + "modified": "2023-10-27T20:54:34.807928Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.809028Z", + "id": "relationship--1a88d5b1-9ec5-42c2-be45-5e09bbdd84e7", + "modified": "2023-10-27T20:54:34.809028Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.810027Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated if a client uses RSA key exchange.", + "event_id": "ssl_rsa_client_pms", + "id": "x-mitre-sensor-mapping--110521f6-1003-47bb-9215-2ba058715ae6", + "modified": "2023-10-27T20:54:34.810027Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.811028Z", + "id": "relationship--1f7b433e-9cb1-452f-b82e-5c357521005a", + "modified": "2023-10-27T20:54:34.811028Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.811028Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for an SSL/TLS server’s initial hello message.", + "event_id": "ssl_server_hello", + "id": "x-mitre-sensor-mapping--78546a60-5201-4e62-af99-77cc159daff4", + "modified": "2023-10-27T20:54:34.811028Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.812259Z", + "id": "relationship--c51a5f47-74da-466b-8531-34108fd55dab", + "modified": "2023-10-27T20:54:34.812259Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.812259Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS handshake messages that are a part of the stateless-server session resumption mechanism.", + "event_id": "ssl_session_ticket_handshake", + "id": "x-mitre-sensor-mapping--f359956e-5213-4498-8dc1-ce271de33956", + "modified": "2023-10-27T20:54:34.812259Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.813314Z", + "id": "relationship--d010734e-57ad-4a10-82b4-6a5c376a897f", + "modified": "2023-10-27T20:54:34.813314Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.814622Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated when seeing a SYN-ACK packet from the responder in a TCP handshake.", + "event_id": "connection_established", + "id": "x-mitre-sensor-mapping--b9e99f4c-4402-4485-bb1f-2c8db5acbbd5", + "modified": "2023-10-27T20:54:34.814622Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.815608Z", + "id": "relationship--ae0d3111-2716-4da7-aa2d-249e1048aece", + "modified": "2023-10-27T20:54:34.815608Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.815608Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for the first ACK packet seen for a TCP connection from its originator.", + "event_id": "connection_first_ack", + "id": "x-mitre-sensor-mapping--37506c40-baec-433a-8802-cefb3734b091", + "modified": "2023-10-27T20:54:34.815608Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.816664Z", + "id": "relationship--8ecb57f3-b998-4c33-9094-08489ac161d8", + "modified": "2023-10-27T20:54:34.816664Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.817657Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "Generated for a SYN packet.", + "event_id": "connection_SYN_packet", + "id": "x-mitre-sensor-mapping--f7c96d1e-1196-4e45-beb4-1ac85977f066", + "modified": "2023-10-27T20:54:34.817657Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.817657Z", + "id": "relationship--202c4629-7e4f-4643-92f5-d6aa6757a25e", + "modified": "2023-10-27T20:54:34.817657Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.818693Z", + "data_component": "Network Connection Creation", + "data_source": "Network Traffic", + "description": "This event is generated when an SSH connection was determined to have had a successful authentication.", + "event_id": "ssh_auth_successful", + "id": "x-mitre-sensor-mapping--df994584-7a37-4ec7-b4ab-dbfff1f34803", + "modified": "2023-10-27T20:54:34.818693Z", + "relationship": "Connected Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.818693Z", + "id": "relationship--e84b25a4-2636-4119-b8e1-75c65b12f7fd", + "modified": "2023-10-27T20:54:34.818693Z", + "relationship_type": "Connected Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--e383303b-98ab-4d43-9dac-908d37baef34", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:33.679872Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "modified": "2023-10-27T20:54:33.679872Z", + "name": "Network Traffic Content", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.819696Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for passing on all data decoded from a single email MIME message.", + "event_id": "mime_all_data", + "id": "x-mitre-sensor-mapping--62bb7efc-9ef4-4126-a537-ecb5f221ef9f", + "modified": "2023-10-27T20:54:34.819696Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Mime", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.8207Z", + "id": "relationship--c2ea505d-0d66-4346-b615-0d077557f943", + "modified": "2023-10-27T20:54:34.8207Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.8207Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for data decoded from an email MIME entity.", + "event_id": "mime_entity_data", + "id": "x-mitre-sensor-mapping--41ef1505-3ef5-44f0-8987-fbd49ab57483", + "modified": "2023-10-27T20:54:34.8207Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Mime", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.821703Z", + "id": "relationship--92b5ab24-2645-459a-98d8-5f0fa65623ff", + "modified": "2023-10-27T20:54:34.821703Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.822693Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for decoded MIME entities extracted from email messages, passing on their MD5 checksums.", + "event_id": "mime_content_hash", + "id": "x-mitre-sensor-mapping--f56164ca-27fa-4e03-a485-9c2ee02a6ee3", + "modified": "2023-10-27T20:54:34.822693Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Mime", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.822693Z", + "id": "relationship--7e3aec4d-66f2-4d9e-8646-3d9f315444d4", + "modified": "2023-10-27T20:54:34.822693Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.823697Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for reporting an HTTP body’s content type.", + "event_id": "http_content_type", + "id": "x-mitre-sensor-mapping--1ac01691-401a-4fe1-9de3-3d78d25d30f9", + "modified": "2023-10-27T20:54:34.823697Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.823697Z", + "id": "relationship--b002a1cc-b154-4580-95fd-54b6140344a7", + "modified": "2023-10-27T20:54:34.823697Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.825686Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated when parsing an HTTP body entity, passing on the data.", + "event_id": "http_entity_data", + "id": "x-mitre-sensor-mapping--52781b36-fe33-4e90-b1c3-985e4ef3ed0b", + "modified": "2023-10-27T20:54:34.825686Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.826689Z", + "id": "relationship--d4c43caf-64ea-4f09-94d6-6e30247ac11e", + "modified": "2023-10-27T20:54:34.826689Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.826689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "modified": "2023-10-27T20:54:34.826689Z", + "name": "Network Traffic Flow", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "revoked": false, + "spec_version": "2.1", + "type": "x-mitre-data-component", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "created": "2023-10-27T20:54:34.827689Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for HTTP headers, passing on all headers of an HTTP message at once.", + "event_id": "http_all_headers", + "id": "x-mitre-sensor-mapping--a176bb79-2941-490f-8ee3-acb70a561a01", + "modified": "2023-10-27T20:54:34.827689Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.827689Z", + "id": "relationship--44e9f7f9-3dda-49de-a437-4f50d7191577", + "modified": "2023-10-27T20:54:34.827689Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.829687Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP destination unreachable messages.", + "event_id": "icmp_unreachable", + "id": "x-mitre-sensor-mapping--d344c8d1-c764-42af-88f8-77392e1ec2c0", + "modified": "2023-10-27T20:54:34.829687Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.829687Z", + "id": "relationship--59d2cff8-4e6a-4675-8e6d-9d83be3489e5", + "modified": "2023-10-27T20:54:34.829687Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.830688Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP neighbor advertisement messages.", + "event_id": "icmp_neighbor_advertisement", + "id": "x-mitre-sensor-mapping--b5f927e1-4ee3-4b81-8f56-7b8ecb5ae3bd", + "modified": "2023-10-27T20:54:34.830688Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.830688Z", + "id": "relationship--16407ab4-2582-4a3e-8e0e-7e3f52beb3c5", + "modified": "2023-10-27T20:54:34.830688Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.831686Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP neighbor solicitation messages.", + "event_id": "icmp_neighbor_solicitation", + "id": "x-mitre-sensor-mapping--0dc4afdc-52aa-4697-a65a-eab5ac769a40", + "modified": "2023-10-27T20:54:34.831686Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.832684Z", + "id": "relationship--a79488dc-8120-43fa-b308-8c67f9fa362a", + "modified": "2023-10-27T20:54:34.832684Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.832684Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP router advertisement messages.", + "event_id": "icmp_neighbor_advertisement", + "id": "x-mitre-sensor-mapping--4558ec34-464d-4263-b095-d8a7e338d717", + "modified": "2023-10-27T20:54:34.832684Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.833684Z", + "id": "relationship--ae439827-cee6-4d05-9f15-50c4e610b47f", + "modified": "2023-10-27T20:54:34.833684Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.833684Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for ICMP router solicitation messages.", + "event_id": "icmp_neighbor_solicitation", + "id": "x-mitre-sensor-mapping--fb5e0577-d279-475d-b81d-cfca5e36f292", + "modified": "2023-10-27T20:54:34.833684Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.834691Z", + "id": "relationship--5e4edbe7-79f0-4712-a0b6-f22339caaaa1", + "modified": "2023-10-27T20:54:34.834691Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.834691Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type session message that are not carrying an SMB payload.", + "event_id": "netbios_session_raw_message", + "id": "x-mitre-sensor-mapping--5a2157bb-dd29-4751-92d8-a393d5322795", + "modified": "2023-10-27T20:54:34.834691Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.835685Z", + "id": "relationship--80fd7e27-d4e6-40c6-a637-70042dad15ef", + "modified": "2023-10-27T20:54:34.835685Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.835685Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for client cluster data packets.", + "event_id": "rdp_client_cluster_data", + "id": "x-mitre-sensor-mapping--38f1b937-dbcc-4787-bf79-e1b48e65039f", + "modified": "2023-10-27T20:54:34.835685Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.836684Z", + "id": "relationship--4fc61719-ab41-4231-9c81-cd6c3807ef0c", + "modified": "2023-10-27T20:54:34.836684Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.836684Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for MCS client requests.", + "event_id": "rdp_client_core_data", + "id": "x-mitre-sensor-mapping--548c41ff-8bb2-4e21-be51-65eb85a748c6", + "modified": "2023-10-27T20:54:34.836684Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.837683Z", + "id": "relationship--9c8dd584-f4ab-4890-a951-7ece98713065", + "modified": "2023-10-27T20:54:34.837683Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.837683Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Client Network Data (TS_UD_CS_NET) packets.", + "event_id": "rdp_client_network_data", + "id": "x-mitre-sensor-mapping--fb417c37-0e00-4b38-8fb7-057fb021db4e", + "modified": "2023-10-27T20:54:34.837683Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.838683Z", + "id": "relationship--7e9785ff-2628-42a5-989e-306171e741a9", + "modified": "2023-10-27T20:54:34.838683Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.838683Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for client security data packets.", + "event_id": "rdp_client_security_data", + "id": "x-mitre-sensor-mapping--08f04472-1f67-477e-8830-bff47073a939", + "modified": "2023-10-27T20:54:34.838683Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.838683Z", + "id": "relationship--180c7d5a-0d6f-4b60-8198-9ad87f24e09f", + "modified": "2023-10-27T20:54:34.838683Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.839683Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for a server certificate section.", + "event_id": "rdp_server_certificate", + "id": "x-mitre-sensor-mapping--bef73a92-a3b2-4a8d-9c8a-d3e1b77f5ed2", + "modified": "2023-10-27T20:54:34.839683Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.839683Z", + "id": "relationship--b568d4e8-369b-458d-b96b-8be1c5f604b1", + "modified": "2023-10-27T20:54:34.839683Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.840683Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for each MOUNT3 reply message received, reporting just the status included.", + "event_id": "mount_reply_status", + "id": "x-mitre-sensor-mapping--f7c1559b-6c30-49cb-ac62-d0c789c014ac", + "modified": "2023-10-27T20:54:34.840683Z", + "relationship": "Replied To", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.840683Z", + "id": "relationship--a6871df0-fb7d-47d7-8602-d19ddbb3b650", + "modified": "2023-10-27T20:54:34.840683Z", + "relationship_type": "Replied To", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.841686Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type callit.", + "event_id": "pm_request_callit", + "id": "x-mitre-sensor-mapping--64683432-1b95-4cb5-af12-d833a1568f7d", + "modified": "2023-10-27T20:54:34.841686Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.8427Z", + "id": "relationship--9784bfa7-1716-49ed-8794-0fffc1101c32", + "modified": "2023-10-27T20:54:34.8427Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.843697Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type dump.", + "event_id": "pm_request_dump", + "id": "x-mitre-sensor-mapping--9af5d89b-4f58-4ee7-8c43-a60d4af3d41f", + "modified": "2023-10-27T20:54:34.843697Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.844817Z", + "id": "relationship--7712f4b9-6180-4abf-b7b4-d1304654f275", + "modified": "2023-10-27T20:54:34.844817Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.845736Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type getport.", + "event_id": "pm_request_getport", + "id": "x-mitre-sensor-mapping--9a8fc07f-efc4-41db-9702-4962ce29307b", + "modified": "2023-10-27T20:54:34.845736Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.845736Z", + "id": "relationship--f40589fa-224a-42a4-b70d-eb1daaa6303a", + "modified": "2023-10-27T20:54:34.845736Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.846824Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type null.", + "event_id": "pm_request_null", + "id": "x-mitre-sensor-mapping--08e1925a-8573-454f-b22a-c4b3d9636701", + "modified": "2023-10-27T20:54:34.846824Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.846968Z", + "id": "relationship--a7c1d399-a80a-4f8c-b9b6-ceadf36dbd87", + "modified": "2023-10-27T20:54:34.846968Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.846968Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type set.", + "event_id": "pm_request_set", + "id": "x-mitre-sensor-mapping--3cd58f48-3015-49c9-8a0e-3fc96a7f1092", + "modified": "2023-10-27T20:54:34.846968Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.847966Z", + "id": "relationship--15594eac-cd46-46a3-bcec-f45b3320eea7", + "modified": "2023-10-27T20:54:34.847966Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.847966Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for Portmapper request/reply dialogues of type unset.", + "event_id": "pm_request_unset", + "id": "x-mitre-sensor-mapping--a7700502-6760-47b8-8aa4-835cf26e2d09", + "modified": "2023-10-27T20:54:34.847966Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.848963Z", + "id": "relationship--ec3512a7-796d-4777-89c4-c462e187a14a", + "modified": "2023-10-27T20:54:34.848963Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.848963Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated once for all SIP headers from the originator or responder.", + "event_id": "sip_all_headers", + "id": "x-mitre-sensor-mapping--e9b43e8a-b694-4b17-84b8-4bbd3b6836f3", + "modified": "2023-10-27T20:54:34.848963Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Sip", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.848963Z", + "id": "relationship--63559d7a-8b88-40eb-aabb-1d4c7b9f5c0d", + "modified": "2023-10-27T20:54:34.848963Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.850054Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type negotiate.", + "event_id": "smb2_negotiate_request", + "id": "x-mitre-sensor-mapping--8604dd4a-e1e1-4256-91ed-7f88a50c6bb6", + "modified": "2023-10-27T20:54:34.850054Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.850054Z", + "id": "relationship--d0fb2788-126d-4caf-9a3c-24b1f2e8c96a", + "modified": "2023-10-27T20:54:34.850054Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.850966Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type negotiate.", + "event_id": "smb2_negotiate_response", + "id": "x-mitre-sensor-mapping--163b5941-0b10-410e-b8fa-b3d6ce08ceb7", + "modified": "2023-10-27T20:54:34.850966Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.850966Z", + "id": "relationship--524859b8-653d-4007-90f3-6af3537261ce", + "modified": "2023-10-27T20:54:34.850966Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.852058Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type read.", + "event_id": "smb2_read_request", + "id": "x-mitre-sensor-mapping--b1e4a688-fcf6-45a8-88b7-4a3fe5951dca", + "modified": "2023-10-27T20:54:34.852058Z", + "relationship": "Accessed", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.852058Z", + "id": "relationship--08d7b966-3016-49f0-a480-be52ff65862f", + "modified": "2023-10-27T20:54:34.852058Z", + "relationship_type": "Accessed", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.853051Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type session_setup.", + "event_id": "smb2_session_setup_request", + "id": "x-mitre-sensor-mapping--99d81405-1b2f-4c0a-9e37-8e1c2aa3aadf", + "modified": "2023-10-27T20:54:34.853051Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.853051Z", + "id": "relationship--1eeaeb70-b0d4-4429-ae5f-81f674b94394", + "modified": "2023-10-27T20:54:34.853051Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.854054Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type session_setup.", + "event_id": "smb2_session_setup_response", + "id": "x-mitre-sensor-mapping--1ded89b6-99a9-41e7-af9d-b0f915cfb5e7", + "modified": "2023-10-27T20:54:34.854054Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.854054Z", + "id": "relationship--620e36b1-82cc-4ba3-b603-c213bd7fd9f4", + "modified": "2023-10-27T20:54:34.854054Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.854054Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the allocation subtype", + "event_id": "smb2_file_allocation", + "id": "x-mitre-sensor-mapping--74bacf2d-6483-4842-aae1-08d2af203518", + "modified": "2023-10-27T20:54:34.854054Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.855041Z", + "id": "relationship--c358fc25-ba01-48a4-8cff-d4b6d1a3026b", + "modified": "2023-10-27T20:54:34.855041Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.855041Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the delete subtype", + "event_id": "smb2_file_allocation", + "id": "x-mitre-sensor-mapping--c2ce6434-40bb-462a-96ad-4f98382c593e", + "modified": "2023-10-27T20:54:34.855041Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.856125Z", + "id": "relationship--bcfd1d94-2a33-446a-a983-6ecee676d69e", + "modified": "2023-10-27T20:54:34.856125Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.856125Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the end_of_file subtype", + "event_id": "smb2_file_endoffile", + "id": "x-mitre-sensor-mapping--f1b5e8e5-7324-4b5f-adb1-ceccf6aa74c7", + "modified": "2023-10-27T20:54:34.856125Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.857192Z", + "id": "relationship--d017b7f0-ed94-433d-bc94-7bb4e82560d0", + "modified": "2023-10-27T20:54:34.857192Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.857192Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the fs_control subtype", + "event_id": "smb2_file_fscontrol", + "id": "x-mitre-sensor-mapping--e612d272-34ae-495c-a2b4-dd58ae3c74a7", + "modified": "2023-10-27T20:54:34.857192Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.858198Z", + "id": "relationship--56981a97-8b09-4119-8228-7df7d439fcc2", + "modified": "2023-10-27T20:54:34.858198Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.858198Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the fs_object_id subtype", + "event_id": "smb2_file_fsobjectid", + "id": "x-mitre-sensor-mapping--c5f5c0ef-18a8-40a5-8077-5c4a1a54b630", + "modified": "2023-10-27T20:54:34.858198Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.859108Z", + "id": "relationship--6adc7da9-455f-4ecd-aafc-7a546dba6ebf", + "modified": "2023-10-27T20:54:34.859108Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.859108Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the full_EA subtype", + "event_id": "smb2_file_fullea", + "id": "x-mitre-sensor-mapping--fef85e38-f61d-4b25-84ff-7aa1f63ae6bd", + "modified": "2023-10-27T20:54:34.859108Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.860121Z", + "id": "relationship--bda0da29-831f-44c8-bdae-abba621b3890", + "modified": "2023-10-27T20:54:34.860121Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.861114Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the link subtype", + "event_id": "smb2_file_link", + "id": "x-mitre-sensor-mapping--f463b61f-e90e-4075-ba04-bb2e068df170", + "modified": "2023-10-27T20:54:34.861114Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.861114Z", + "id": "relationship--8a1ce172-f1e9-4f85-818b-543d3c3c51dd", + "modified": "2023-10-27T20:54:34.861114Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.862107Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the mode subtype", + "event_id": "smb2_file_mode", + "id": "x-mitre-sensor-mapping--a21df9af-63c5-4182-b64f-f099aebb1d77", + "modified": "2023-10-27T20:54:34.862107Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.86311Z", + "id": "relationship--d2db73b1-9a3b-445d-a156-b13ad414cd18", + "modified": "2023-10-27T20:54:34.86311Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.864109Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the pipe subtype", + "event_id": "smb2_file_pipe", + "id": "x-mitre-sensor-mapping--8e915d50-7daa-4719-92dc-6adc426c666c", + "modified": "2023-10-27T20:54:34.864109Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.864109Z", + "id": "relationship--7ef8dec0-847d-477d-8266-d29edce49365", + "modified": "2023-10-27T20:54:34.864109Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.865107Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the position subtype", + "event_id": "smb2_file_position", + "id": "x-mitre-sensor-mapping--11bd54f0-278d-4577-82d4-8d2901aa5086", + "modified": "2023-10-27T20:54:34.865107Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.866108Z", + "id": "relationship--fde3db3b-ac07-4f6e-abcc-92f64b55ad16", + "modified": "2023-10-27T20:54:34.866108Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.867106Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the rename subtype", + "event_id": "smb2_file_rename", + "id": "x-mitre-sensor-mapping--605e399b-2469-4662-be97-d613872b0485", + "modified": "2023-10-27T20:54:34.867106Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.867106Z", + "id": "relationship--79653bb8-440e-47ea-9199-ec3496a7b407", + "modified": "2023-10-27T20:54:34.867106Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.868105Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the sattr subtype", + "event_id": "smb2_file_sattr", + "id": "x-mitre-sensor-mapping--ad020d57-8ac7-4951-b05c-81fe8a5bba33", + "modified": "2023-10-27T20:54:34.868105Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.869107Z", + "id": "relationship--ff6cb2c3-39e6-4df8-9537-ab56a322f3f9", + "modified": "2023-10-27T20:54:34.869107Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.870107Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the short_name subtype", + "event_id": "smb2_file_shortname", + "id": "x-mitre-sensor-mapping--aa358f3c-1e1b-44b0-aead-a61c6c790c80", + "modified": "2023-10-27T20:54:34.870107Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.870107Z", + "id": "relationship--a06bb315-faf0-46df-90a5-530536a343bb", + "modified": "2023-10-27T20:54:34.870107Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.871111Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type set_info of the valid_data_length subtype", + "event_id": "smb2_file_validdatalength", + "id": "x-mitre-sensor-mapping--897ca04a-88af-4b26-a734-1fb44043d5ef", + "modified": "2023-10-27T20:54:34.871111Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.872109Z", + "id": "relationship--d923c812-3097-4a42-8e65-67e97acc46a4", + "modified": "2023-10-27T20:54:34.872109Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.872109Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 3.x transform_header.", + "event_id": "smb2_transform_header", + "id": "x-mitre-sensor-mapping--31384f56-0655-41f9-b522-c0a5f798bbd2", + "modified": "2023-10-27T20:54:34.872109Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.873159Z", + "id": "relationship--63c64a71-f6fc-410f-a73e-ca5eeb99971e", + "modified": "2023-10-27T20:54:34.873159Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.873159Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type tree_connect.", + "event_id": "smb2_tree_connect_request", + "id": "x-mitre-sensor-mapping--0b404b4b-3a4f-42cd-bb5d-24080f0df3c6", + "modified": "2023-10-27T20:54:34.873159Z", + "relationship": "Read", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.874176Z", + "id": "relationship--91affd30-f0d2-4233-b79e-c84592ea99a1", + "modified": "2023-10-27T20:54:34.874176Z", + "relationship_type": "Read", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.874176Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type tree_connect.", + "event_id": "smb2_tree_connect_response", + "id": "x-mitre-sensor-mapping--1aa23362-33e0-49ba-8f62-f940ce91501b", + "modified": "2023-10-27T20:54:34.874176Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.875164Z", + "id": "relationship--818b51dd-21d8-4c6d-912d-14fa915fe1fc", + "modified": "2023-10-27T20:54:34.875164Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.875164Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type tree disconnect.", + "event_id": "smb2_tree_disconnect_request", + "id": "x-mitre-sensor-mapping--1cc4585f-1822-492d-8676-689700493aa2", + "modified": "2023-10-27T20:54:34.875164Z", + "relationship": "Disconnected", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.876454Z", + "id": "relationship--3444468b-739b-41d5-8b4d-9dedac0d1a40", + "modified": "2023-10-27T20:54:34.876454Z", + "relationship_type": "Disconnected", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.877484Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type tree disconnect.", + "event_id": "smb2_tree_disconnect_response", + "id": "x-mitre-sensor-mapping--076778e2-41ba-4d6f-9106-752eec4425eb", + "modified": "2023-10-27T20:54:34.877484Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.877484Z", + "id": "relationship--2ce9efd6-78f1-4166-866f-ba357b6e4f87", + "modified": "2023-10-27T20:54:34.877484Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.87848Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type write.", + "event_id": "smb2_write_request", + "id": "x-mitre-sensor-mapping--07d03e4f-24c6-4b81-ae27-6bf50ff463c2", + "modified": "2023-10-27T20:54:34.87848Z", + "relationship": "Write", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.87848Z", + "id": "relationship--1ca78f59-8766-4ff5-bac0-c9335978af59", + "modified": "2023-10-27T20:54:34.87848Z", + "relationship_type": "Write", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.879479Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type write.", + "event_id": "smb2_write_response", + "id": "x-mitre-sensor-mapping--24a72dac-7bd2-4a58-84f6-b3eeca349dc3", + "modified": "2023-10-27T20:54:34.879479Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.879479Z", + "id": "relationship--b7b0a3ad-f0ad-41d3-b302-a51752a4c68a", + "modified": "2023-10-27T20:54:34.879479Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.880481Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMPv3 encrypted PDU message.", + "event_id": "snmp_encrypted_pdu", + "id": "x-mitre-sensor-mapping--ff6ff08c-b2e1-4a14-9e87-6f6f2d385ccd", + "modified": "2023-10-27T20:54:34.880481Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host, Process/User", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.880481Z", + "id": "relationship--55231dc7-d4a7-4be2-982d-0031bd164913", + "modified": "2023-10-27T20:54:34.880481Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.881478Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP GetRequest-PDU message from either RFC 1157 or RFC 3416.", + "event_id": "snmp_get_request", + "id": "x-mitre-sensor-mapping--ecd8fc6f-0ad4-4dc3-b57f-563255e398fc", + "modified": "2023-10-27T20:54:34.881478Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.881478Z", + "id": "relationship--2ab7563c-4b78-4398-9f4b-34a8a6f864b0", + "modified": "2023-10-27T20:54:34.881478Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.88248Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP Report-PDU message from RFC 3416.", + "event_id": "snmp_report", + "id": "x-mitre-sensor-mapping--e17d4c77-d082-40b0-a18c-debca7784d71", + "modified": "2023-10-27T20:54:34.88248Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.883479Z", + "id": "relationship--35bc133a-c224-4540-ab62-127d9d269f10", + "modified": "2023-10-27T20:54:34.883479Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.883479Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP SetRequest-PDU message from either RFC 1157 or RFC 3416.", + "event_id": "snmp_set_request", + "id": "x-mitre-sensor-mapping--8cb70bbb-356b-456b-8d5d-189439684284", + "modified": "2023-10-27T20:54:34.883479Z", + "relationship": "Modified", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.884478Z", + "id": "relationship--95feccbe-e980-4b3f-a468-f9b0adf71b96", + "modified": "2023-10-27T20:54:34.884478Z", + "relationship_type": "Modified", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.884478Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP Trap-PDU message from RFC 1157.", + "event_id": "snmp_trap", + "id": "x-mitre-sensor-mapping--c89ad353-6d73-4006-aba8-41595d705149", + "modified": "2023-10-27T20:54:34.884478Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.885484Z", + "id": "relationship--805d24d2-7153-42d2-9e7d-f31f9ad45089", + "modified": "2023-10-27T20:54:34.885484Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.885484Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "An SNMP SNMPv2-Trap-PDU message from RFC 1157.", + "event_id": "snmp_trapv2", + "id": "x-mitre-sensor-mapping--0b849414-e35f-4496-8641-c348c1c87313", + "modified": "2023-10-27T20:54:34.885484Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.886972Z", + "id": "relationship--cbf931e1-1ef5-492d-a798-f79b2fa46845", + "modified": "2023-10-27T20:54:34.886972Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.886972Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference.", + "event_id": "ssh_capabilities", + "id": "x-mitre-sensor-mapping--9a081374-aeb3-457d-9bc4-046e17a2fecf", + "modified": "2023-10-27T20:54:34.886972Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.887969Z", + "id": "relationship--13596607-9499-4102-bca6-c936ae203b16", + "modified": "2023-10-27T20:54:34.887969Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.887969Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "This event is generated when an SSH encrypted packet is seen.", + "event_id": "ssh_encrypted_packet", + "id": "x-mitre-sensor-mapping--5e5b8d11-7530-4b10-a76c-f17236e139c2", + "modified": "2023-10-27T20:54:34.887969Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.889006Z", + "id": "relationship--4e88aba8-3690-416f-9192-61af8fabbb29", + "modified": "2023-10-27T20:54:34.889006Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.889006Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "During the SSH key exchange, the server supplies its public host key.", + "event_id": "ssh1_server_host_key", + "id": "x-mitre-sensor-mapping--3b931ff4-7f09-4549-9ec3-c77c816e3110", + "modified": "2023-10-27T20:54:34.889006Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.890007Z", + "id": "relationship--3a381fd5-e240-4fdd-b46e-55e6e7c6046e", + "modified": "2023-10-27T20:54:34.890007Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.890007Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret.", + "event_id": "ssh2_ecc_key", + "id": "x-mitre-sensor-mapping--4aa2e8f7-f9ee-4599-a7ac-2822ddde1fda", + "modified": "2023-10-27T20:54:34.890007Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.891034Z", + "id": "relationship--0cff9c77-90df-48f5-998a-ce0ab1ccc569", + "modified": "2023-10-27T20:54:34.891034Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.891034Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "During the SSH key exchange, the server supplies its public host key.", + "event_id": "ssh2_server_host_key", + "id": "x-mitre-sensor-mapping--a9286172-8ce2-4fc1-b0d2-148913bb5c67", + "modified": "2023-10-27T20:54:34.891034Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.892037Z", + "id": "relationship--a585a3ec-47f4-4ef7-83eb-b5a20d925b64", + "modified": "2023-10-27T20:54:34.892037Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.893792Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS alert records.", + "event_id": "ssl_alert", + "id": "x-mitre-sensor-mapping--2d7e2fda-e2ba-4539-a488-59304080cfd7", + "modified": "2023-10-27T20:54:34.893792Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.894322Z", + "id": "relationship--75486cbf-700a-4ac1-adeb-23fd02ad4c3f", + "modified": "2023-10-27T20:54:34.894322Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.895325Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a client uses a DH-anon or DHE cipher suite.", + "event_id": "ssl_dh_client_params", + "id": "x-mitre-sensor-mapping--a5f7e051-014d-49d1-a938-cb00d4446321", + "modified": "2023-10-27T20:54:34.895325Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.896407Z", + "id": "relationship--b19c40b1-d0a1-4d59-a9fc-7e663c91ce63", + "modified": "2023-10-27T20:54:34.896407Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.89791Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a server uses a DH-anon or DHE cipher suite.", + "event_id": "ssl_dh_server_params", + "id": "x-mitre-sensor-mapping--b1b0209a-045d-4e61-868b-add94bfc9148", + "modified": "2023-10-27T20:54:34.89791Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.898907Z", + "id": "relationship--b0c354bb-499a-4e98-9970-33cdf96e6dba", + "modified": "2023-10-27T20:54:34.898907Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.898907Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a client uses an ECDH-anon or ECDHE cipher suite.", + "event_id": "ssl_ecdh_client_params", + "id": "x-mitre-sensor-mapping--2b1e0289-8111-4a98-afe5-3c9010578646", + "modified": "2023-10-27T20:54:34.898907Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.899987Z", + "id": "relationship--fc839bf9-6c22-4e95-9b32-473385717ed7", + "modified": "2023-10-27T20:54:34.899987Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.899987Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve This event contains the named curve name and the server ECDH parameters contained in the ServerKeyExchange message as defined in RFC 4492.", + "event_id": "ssl_ecdh_server_params", + "id": "x-mitre-sensor-mapping--cf7b712e-cb61-4c15-888a-6c4504e3f553", + "modified": "2023-10-27T20:54:34.899987Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.901038Z", + "id": "relationship--e79055aa-aeb6-4993-bfa7-e0c6dcafdd29", + "modified": "2023-10-27T20:54:34.901038Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.902046Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS messages that are sent after session encryption started.", + "event_id": "ssl_encrypted_data", + "id": "x-mitre-sensor-mapping--156915b9-7737-4a80-84ab-a85c0dacd6ac", + "modified": "2023-10-27T20:54:34.902046Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.902046Z", + "id": "relationship--41708974-e8ae-405d-9430-1769ef9d7ddf", + "modified": "2023-10-27T20:54:34.902046Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.903033Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated if a server uses a non-anonymous DHE or ECDHE cipher suite.", + "event_id": "ssl_server_signature", + "id": "x-mitre-sensor-mapping--e0e01d97-6e22-4017-95d6-9949d6b2a3a3", + "modified": "2023-10-27T20:54:34.903033Z", + "relationship": "Communicated With", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.903033Z", + "id": "relationship--6dc4c85b-a7b2-43f5-8065-83b184efc436", + "modified": "2023-10-27T20:54:34.903033Z", + "relationship_type": "Communicated With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.903981Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for each chunk of reassembled TCP payload.", + "event_id": "tcp_contents", + "id": "x-mitre-sensor-mapping--f007b18c-b3d3-45e9-be3a-c7235bbe7ae3", + "modified": "2023-10-27T20:54:34.903981Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.904527Z", + "id": "relationship--91fa4f4e-0b54-441d-91e1-529988c69dd4", + "modified": "2023-10-27T20:54:34.904527Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.904573Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for each TCP header that contains TCP options.", + "event_id": "tcp_options", + "id": "x-mitre-sensor-mapping--9f265eff-7036-4605-9086-ffed18765c74", + "modified": "2023-10-27T20:54:34.904573Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.905551Z", + "id": "relationship--89eb9390-5306-4b1b-bd24-757a7df535cc", + "modified": "2023-10-27T20:54:34.905551Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.905551Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for every TCP packet.", + "event_id": "tcp_packet", + "id": "x-mitre-sensor-mapping--c9ffeba5-da30-43a2-8718-502ae31cc105", + "modified": "2023-10-27T20:54:34.905551Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.906714Z", + "id": "relationship--33f5968a-4205-4d97-b48f-a8aeda9847e2", + "modified": "2023-10-27T20:54:34.906714Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.909212Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type close.", + "event_id": "smb2_close_request", + "id": "x-mitre-sensor-mapping--be69cc34-0b7e-4d09-8999-0a9f67cfda52", + "modified": "2023-10-27T20:54:34.909212Z", + "relationship": "Initiated?", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.910215Z", + "id": "relationship--8b81d143-12ef-4815-b637-e228e60a6371", + "modified": "2023-10-27T20:54:34.910215Z", + "relationship_type": "Initiated?", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.911265Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 requests of type create.", + "event_id": "smb2_create_request", + "id": "x-mitre-sensor-mapping--44385fd6-824e-475f-a013-9f2233a25cd1", + "modified": "2023-10-27T20:54:34.911265Z", + "relationship": "Initiated?", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.911265Z", + "id": "relationship--f921f64a-19d8-49bf-9231-b1fce9085f9b", + "modified": "2023-10-27T20:54:34.911265Z", + "relationship_type": "Initiated?", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.912266Z", + "data_component": "Network Traffic Content", + "data_source": "Network Traffic", + "description": "Generated for UDP packets to pass on their payload.", + "event_id": "udp_contents", + "id": "x-mitre-sensor-mapping--5f802879-5aec-4368-9a58-a288070f8abb", + "modified": "2023-10-27T20:54:34.912266Z", + "relationship": "Communicates With", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Udp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.912266Z", + "id": "relationship--f64bb6ec-e4fd-42a5-ae83-24815bfd6e54", + "modified": "2023-10-27T20:54:34.912266Z", + "relationship_type": "Communicates With", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--884c4bb8-38d0-4978-b305-3aba280c2a66", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.91334Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC alter context response message.", + "event_id": "dce_rpc_alter_context_resp", + "id": "x-mitre-sensor-mapping--34621428-0fdb-4709-8e95-7bb536441a2e", + "modified": "2023-10-27T20:54:34.91334Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.913906Z", + "id": "relationship--84c4e2f8-d34a-436c-a9ca-dbaa7f247a1c", + "modified": "2023-10-27T20:54:34.913906Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.914453Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC alter context request message.", + "event_id": "dce_rpc_alter_context", + "id": "x-mitre-sensor-mapping--124fee40-7338-410f-987a-cfb82f9804bc", + "modified": "2023-10-27T20:54:34.914453Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.914453Z", + "id": "relationship--574157bc-d4c3-4418-a74b-29abefe542a2", + "modified": "2023-10-27T20:54:34.914453Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.915502Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC bind request message.", + "event_id": "dce_rpc_bind", + "id": "x-mitre-sensor-mapping--9931c0ec-cfd5-4b68-b508-a80d1177bc74", + "modified": "2023-10-27T20:54:34.915502Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.915502Z", + "id": "relationship--8c32738e-6742-46d9-a801-aa5d9f54548d", + "modified": "2023-10-27T20:54:34.915502Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.91657Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC bind request ack message.", + "event_id": "dce_rpc_bind_ack", + "id": "x-mitre-sensor-mapping--679ca171-bae9-4a7b-a345-17de55f9fd7a", + "modified": "2023-10-27T20:54:34.91657Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.91657Z", + "id": "relationship--b0acf9eb-9341-4ca9-9ec1-e8ce28b5bf4e", + "modified": "2023-10-27T20:54:34.91657Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.917579Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MIME headers extracted from email MIME entities, passing all headers at once.", + "event_id": "mime_all_headers", + "id": "x-mitre-sensor-mapping--2d6d48f9-54f9-468c-8864-e25ea34b1a2a", + "modified": "2023-10-27T20:54:34.917579Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Mime", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.917579Z", + "id": "relationship--1c855f71-80aa-426b-a11d-eb3c77c414e8", + "modified": "2023-10-27T20:54:34.917579Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.91862Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a server sends a capability list to the client, after being queried using the CAPABILITY command.", + "event_id": "imap_capabilities", + "id": "x-mitre-sensor-mapping--60049c1e-481c-4405-9956-4f3abe748935", + "modified": "2023-10-27T20:54:34.91862Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Imap", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.91862Z", + "id": "relationship--2e519c1c-f27d-4cda-82c2-676fe357d109", + "modified": "2023-10-27T20:54:34.91862Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.9197Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a IMAP connection goes encrypted after a successful StartTLS exchange between the client and the server.", + "event_id": "imap_start_tls", + "id": "x-mitre-sensor-mapping--32d1f71e-27ef-4783-a981-90795dc33d60", + "modified": "2023-10-27T20:54:34.9197Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Imap", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.9197Z", + "id": "relationship--3bc1b7f4-82f9-4349-8246-066de54604e5", + "modified": "2023-10-27T20:54:34.9197Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.92074Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Authentication Header (AP) Request as defined in RFC 4120.", + "event_id": "krb_ap_request", + "id": "x-mitre-sensor-mapping--a672c581-b8de-401a-adaa-e2603f3e5620", + "modified": "2023-10-27T20:54:34.92074Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.92074Z", + "id": "relationship--8bc5a630-8224-441c-a947-8019673de57f", + "modified": "2023-10-27T20:54:34.92074Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.921827Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Authentication Header (AP) Response as defined in RFC 4120.", + "event_id": "krb_ap_response", + "id": "x-mitre-sensor-mapping--7f75cfba-fe72-4f7a-acca-e795a4c2c6b1", + "modified": "2023-10-27T20:54:34.921827Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.921827Z", + "id": "relationship--acb6ce1b-386a-4ea4-864d-c56f814cf354", + "modified": "2023-10-27T20:54:34.921827Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.92286Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Authentication Server (AS) Request as defined in RFC 4120.", + "event_id": "krb_as_request", + "id": "x-mitre-sensor-mapping--1a5ab784-7693-47e8-8ff7-59f2d1e2e23e", + "modified": "2023-10-27T20:54:34.92286Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.923625Z", + "id": "relationship--877d156a-dcb1-49b7-99e5-819f89cd68c6", + "modified": "2023-10-27T20:54:34.923625Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.924176Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Authentication Server (AS) Response as defined in RFC 4120.", + "event_id": "krb_as_response", + "id": "x-mitre-sensor-mapping--0ca95abe-4d96-4875-8fc1-5e2312c9e1bd", + "modified": "2023-10-27T20:54:34.924176Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.925172Z", + "id": "relationship--f4befda6-3c85-45f4-a64c-1a0a89b94322", + "modified": "2023-10-27T20:54:34.925172Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.926165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Ticket Granting Service (TGS) Request as defined in RFC 4120.", + "event_id": "krb_tgs_request", + "id": "x-mitre-sensor-mapping--0a8b9a57-9fe0-4800-b3fb-e2b20b16ded2", + "modified": "2023-10-27T20:54:34.926165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.926165Z", + "id": "relationship--b2ceae64-bd7c-40de-a490-040b5dff8666", + "modified": "2023-10-27T20:54:34.926165Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.927168Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "A Kerberos 5 Ticket Granting Service (TGS) Response as defined in RFC 4120.", + "event_id": "krb_tgs_response", + "id": "x-mitre-sensor-mapping--60ec0474-f3ef-4205-ab4b-f6e73080900b", + "modified": "2023-10-27T20:54:34.927168Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Kerberos", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.927168Z", + "id": "relationship--d98a6946-238d-4d0e-8e0b-10fe574ae336", + "modified": "2023-10-27T20:54:34.927168Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.928299Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type positive session response.", + "event_id": "netbios_session_accepted", + "id": "x-mitre-sensor-mapping--ae3c1c47-2f46-423e-92af-43a490a8a500", + "modified": "2023-10-27T20:54:34.928299Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.928299Z", + "id": "relationship--f7556c52-a865-48b9-9233-fbc982d487a1", + "modified": "2023-10-27T20:54:34.928299Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.929301Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type keep-alive.", + "event_id": "netbios_session_keepalive", + "id": "x-mitre-sensor-mapping--efd53ba5-f8e5-42a7-88a9-3bcf2202a7e8", + "modified": "2023-10-27T20:54:34.929301Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.929301Z", + "id": "relationship--d894cb07-89ff-42ad-8c03-d4e7e5cede2f", + "modified": "2023-10-27T20:54:34.929301Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.930428Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for all NetBIOS SSN and DGM messages.", + "event_id": "netbios_session_message", + "id": "x-mitre-sensor-mapping--06200f7e-a24b-489c-9b97-ec77948e68f3", + "modified": "2023-10-27T20:54:34.930428Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.930428Z", + "id": "relationship--538b0970-f205-4623-b861-e8af33ccaf8e", + "modified": "2023-10-27T20:54:34.930428Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.931427Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type negative session response.", + "event_id": "netbios_session_rejected", + "id": "x-mitre-sensor-mapping--fdf3b0a3-1cf9-4925-8941-ec031ddd01ec", + "modified": "2023-10-27T20:54:34.931427Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.931427Z", + "id": "relationship--1789b0e1-0fe5-4011-ae2f-34719db1c91a", + "modified": "2023-10-27T20:54:34.931427Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.932448Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type session request.", + "event_id": "netbios_session_request", + "id": "x-mitre-sensor-mapping--cec547b8-907c-464b-a562-9b15c85e114b", + "modified": "2023-10-27T20:54:34.932448Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.932448Z", + "id": "relationship--6dc3361d-52bc-4b05-9801-7de78b72a4bd", + "modified": "2023-10-27T20:54:34.932448Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.93344Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NetBIOS messages of type retarget response.", + "event_id": "netbios_session_ret_arg_resp", + "id": "x-mitre-sensor-mapping--e9d90fe0-1917-499d-a715-c3008dee49ac", + "modified": "2023-10-27T20:54:34.93344Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Netbios", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.93344Z", + "id": "relationship--45ef6ff2-80bc-41c6-ba21-ec0bd7593305", + "modified": "2023-10-27T20:54:34.93344Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.934487Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NTLM messages of type negotiate.", + "event_id": "ntlm_negotiate", + "id": "x-mitre-sensor-mapping--80b49df7-4fd3-4433-b539-df3580ad8370", + "modified": "2023-10-27T20:54:34.934487Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Ntlm", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.934487Z", + "id": "relationship--c589f59f-1c77-49a3-8313-497cf1023aa5", + "modified": "2023-10-27T20:54:34.934487Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.935475Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for all NTP messages.", + "event_id": "ntp_message", + "id": "x-mitre-sensor-mapping--0b1e9c2e-c94a-414d-89c9-776352ea8ac9", + "modified": "2023-10-27T20:54:34.935475Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Ntp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.935475Z", + "id": "relationship--5be5aea8-488b-46be-b61a-ec448af7431d", + "modified": "2023-10-27T20:54:34.935475Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.936518Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for server-side multi-line responses on POP3 connections.", + "event_id": "pop3_data", + "id": "x-mitre-sensor-mapping--2339086e-371c-4208-b93d-b0fc7ab9327d", + "modified": "2023-10-27T20:54:34.936518Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.937524Z", + "id": "relationship--6639404d-c22d-49a6-9579-5c29c73eff18", + "modified": "2023-10-27T20:54:34.937524Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.937524Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for unsuccessful authentications on POP3 connections.", + "event_id": "pop3_login_failure", + "id": "x-mitre-sensor-mapping--2c3a24bc-e494-4eff-bd0e-e9f8f63444e7", + "modified": "2023-10-27T20:54:34.937524Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.938597Z", + "id": "relationship--1e561d32-53fe-46e1-95e2-47470d87cc09", + "modified": "2023-10-27T20:54:34.938597Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.938597Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a POP3 connection goes encrypted.", + "event_id": "pop3_starttls", + "id": "x-mitre-sensor-mapping--ed5482c6-74f7-4cfe-9004-183fffb2d2eb", + "modified": "2023-10-27T20:54:34.938597Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.939588Z", + "id": "relationship--cdf31fb8-1c21-4773-915e-1ca642a0a157", + "modified": "2023-10-27T20:54:34.939588Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.939588Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when an RDP session becomes encrypted.", + "event_id": "rdp_begin_encryption", + "id": "x-mitre-sensor-mapping--2cdc1556-8d1e-4c62-be57-e5d8f1bc96bb", + "modified": "2023-10-27T20:54:34.939588Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.940574Z", + "id": "relationship--d9036dde-749d-439f-8275-84d61c6fc2e8", + "modified": "2023-10-27T20:54:34.940574Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.941106Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for X.224 client requests.", + "event_id": "rdp_connect_request", + "id": "x-mitre-sensor-mapping--71679aa1-0b3d-4d7d-b20c-92e8f0045d2e", + "modified": "2023-10-27T20:54:34.941106Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.942172Z", + "id": "relationship--d3e42602-ab20-463f-93d4-b8fdad7dc383", + "modified": "2023-10-27T20:54:34.942172Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.942172Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MCS server responses.", + "event_id": "rdp_gcc_server_create_response", + "id": "x-mitre-sensor-mapping--9a1cfff4-bb59-425b-b257-6d42c37cc707", + "modified": "2023-10-27T20:54:34.942172Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.943126Z", + "id": "relationship--9a35f25a-437f-419c-916e-b0d9658b93ca", + "modified": "2023-10-27T20:54:34.943126Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.943126Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each packet after RDP native encryption begins.", + "event_id": "rdp_native_encrypted_data", + "id": "x-mitre-sensor-mapping--c4b02273-3f6a-48ff-bee8-8a98eac50ab8", + "modified": "2023-10-27T20:54:34.943126Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.944196Z", + "id": "relationship--3410b494-9580-448f-9464-5a8fee1d5d7e", + "modified": "2023-10-27T20:54:34.944196Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.945169Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RDP Negotiation Failure messages.", + "event_id": "rdp_negotiation_failure", + "id": "x-mitre-sensor-mapping--33ffa71c-0c95-45b8-a664-3f4f85b37edb", + "modified": "2023-10-27T20:54:34.945169Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.946174Z", + "id": "relationship--b6f827bb-a676-4f57-810c-fd406d611e16", + "modified": "2023-10-27T20:54:34.946174Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.947167Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RDP Negotiation Response messages.", + "event_id": "rdp_negotiation_response", + "id": "x-mitre-sensor-mapping--b9e407de-86b6-4f2e-8021-f44fe5df2a31", + "modified": "2023-10-27T20:54:34.947167Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.948167Z", + "id": "relationship--cab28ac7-87d0-4077-8782-ec0af59dcda8", + "modified": "2023-10-27T20:54:34.948167Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.948167Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MCS server responses.", + "event_id": "rdp_server_security", + "id": "x-mitre-sensor-mapping--b1920740-fe92-4991-a4b4-bd5a859d00a7", + "modified": "2023-10-27T20:54:34.948167Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.949166Z", + "id": "relationship--b4350e68-b787-449d-a25f-b5d9deb4a15b", + "modified": "2023-10-27T20:54:34.949166Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.949166Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when for data messages exchanged after a RDPEUDP connection establishes", + "event_id": "rdpeudp_data", + "id": "x-mitre-sensor-mapping--267f3671-7a07-4575-bef6-fd08ba2d8da0", + "modified": "2023-10-27T20:54:34.949166Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rdp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.950165Z", + "id": "relationship--a74efd9e-1e28-4a56-aad6-3c4a6b9ed991", + "modified": "2023-10-27T20:54:34.950165Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.950165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RPC call messages.", + "event_id": "rpc_call", + "id": "x-mitre-sensor-mapping--e76ea538-3d36-41e3-833d-78ddb394b598", + "modified": "2023-10-27T20:54:34.950165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.951165Z", + "id": "relationship--6893117b-68c5-4db9-ab72-0eff64c84414", + "modified": "2023-10-27T20:54:34.951165Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.952165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RPC reply messages.", + "event_id": "rpc_reply", + "id": "x-mitre-sensor-mapping--a86521ed-4abe-441c-b5a0-5a9d7cc416bf", + "modified": "2023-10-27T20:54:34.952165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.952165Z", + "id": "relationship--c47e659c-8de8-40cb-8540-7b17cbc0d642", + "modified": "2023-10-27T20:54:34.952165Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.953165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for RPC request/reply pairs.", + "event_id": "rpc_dialogue", + "id": "x-mitre-sensor-mapping--8db21adb-f430-4035-bea5-3e78cff75bd6", + "modified": "2023-10-27T20:54:34.953165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.953165Z", + "id": "relationship--473937ef-3b36-441f-b2a4-c470a501f4c4", + "modified": "2023-10-27T20:54:34.953165Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.954166Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of type mnt.", + "event_id": "mount_proc_mnt", + "id": "x-mitre-sensor-mapping--817043e7-650e-4e38-b394-f6177d389d1e", + "modified": "2023-10-27T20:54:34.954166Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.954166Z", + "id": "relationship--acd00a22-a951-4c42-8f33-dc1700418fde", + "modified": "2023-10-27T20:54:34.954166Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.955165Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of a type that Zeek’s MOUNTv3 analyzer does not implement.", + "event_id": "mount_proc_not_implemented", + "id": "x-mitre-sensor-mapping--523f3d33-1948-484c-8f12-7f3bfa612689", + "modified": "2023-10-27T20:54:34.955165Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.956168Z", + "id": "relationship--80e24ada-feee-4b6b-b1ba-f3f16415d78e", + "modified": "2023-10-27T20:54:34.956168Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.956717Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of type null.", + "event_id": "mount_proc_null", + "id": "x-mitre-sensor-mapping--614f5838-1710-43a6-bc5e-2c27d197b5a7", + "modified": "2023-10-27T20:54:34.956717Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.957704Z", + "id": "relationship--c90697a7-0099-40cf-9fd2-1c104bbc9e5f", + "modified": "2023-10-27T20:54:34.957704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.957704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of type umnt.", + "event_id": "mount_proc_umnt", + "id": "x-mitre-sensor-mapping--5e24a6a1-afa6-4966-bb9d-ea111a0adda7", + "modified": "2023-10-27T20:54:34.957704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.958704Z", + "id": "relationship--24c70c9c-5b8e-4c6a-a8f2-a126dfbc198a", + "modified": "2023-10-27T20:54:34.958704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.958704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for MOUNT3 request/reply dialogues of type umnt_all.", + "event_id": "mount_proc_umnt_all", + "id": "x-mitre-sensor-mapping--bc54ed4b-514d-4cec-a086-a0b21dc0704e", + "modified": "2023-10-27T20:54:34.958704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.959706Z", + "id": "relationship--c190df68-7789-4c21-9edd-4f6cc74ea721", + "modified": "2023-10-27T20:54:34.959706Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.960704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type create.", + "event_id": "nfs_proc_create", + "id": "x-mitre-sensor-mapping--dbb714f8-673a-46f6-bacf-8582df75cfca", + "modified": "2023-10-27T20:54:34.960704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.960704Z", + "id": "relationship--7b9eb0db-c78a-4962-b8b8-3e825e0a13a2", + "modified": "2023-10-27T20:54:34.960704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.961704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type getattr.", + "event_id": "nfs_proc_getattr", + "id": "x-mitre-sensor-mapping--e0efa31b-e91a-4ea7-92a0-1561b65280da", + "modified": "2023-10-27T20:54:34.961704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.961704Z", + "id": "relationship--f91a82d5-3a15-434d-9974-44545d63a22c", + "modified": "2023-10-27T20:54:34.961704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.962705Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type link.", + "event_id": "nfs_proc_link", + "id": "x-mitre-sensor-mapping--9273aabf-5de2-46ad-aceb-083a38a2bd4f", + "modified": "2023-10-27T20:54:34.962705Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.962705Z", + "id": "relationship--67d208b5-86e7-48fe-847f-08e90fef7608", + "modified": "2023-10-27T20:54:34.962705Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.963704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type lookup.", + "event_id": "nfs_proc_lookup", + "id": "x-mitre-sensor-mapping--3726ca70-3ca2-4af2-8f3e-86f8841608b1", + "modified": "2023-10-27T20:54:34.963704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.964704Z", + "id": "relationship--bb25d52f-c035-4417-b641-e7b5854f55b5", + "modified": "2023-10-27T20:54:34.964704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.964704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type mkdir.", + "event_id": "nfs_proc_mkdir", + "id": "x-mitre-sensor-mapping--c7a62e10-22a7-4ab0-8137-f9dc85c8bcc1", + "modified": "2023-10-27T20:54:34.964704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.965704Z", + "id": "relationship--39a51292-e13d-4390-be8e-89abc6ee23d2", + "modified": "2023-10-27T20:54:34.965704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.965704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type null.", + "event_id": "nfs_proc_mkdir", + "id": "x-mitre-sensor-mapping--8ba1eca6-0215-4a64-b7c0-33ef8a0e0769", + "modified": "2023-10-27T20:54:34.965704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.966704Z", + "id": "relationship--a663d7ac-181f-4fec-938e-126ff42824d2", + "modified": "2023-10-27T20:54:34.966704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.967704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type read.", + "event_id": "nfs_proc_read", + "id": "x-mitre-sensor-mapping--071d6832-5621-4227-ba7a-3e2ddb76ad8e", + "modified": "2023-10-27T20:54:34.967704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.967704Z", + "id": "relationship--b2c7ba7d-043d-4f95-af61-be2d73670411", + "modified": "2023-10-27T20:54:34.967704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.968703Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type readdir.", + "event_id": "nfs_proc_readdir", + "id": "x-mitre-sensor-mapping--90709134-07a2-4276-ae99-735c0107cef4", + "modified": "2023-10-27T20:54:34.968703Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.968703Z", + "id": "relationship--849eb517-d181-4790-ad66-82ec881d9b93", + "modified": "2023-10-27T20:54:34.968703Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.969704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type readlink.", + "event_id": "nfs_proc_readlink", + "id": "x-mitre-sensor-mapping--ada1c22a-389c-45bd-b1bf-f64ebf3156bc", + "modified": "2023-10-27T20:54:34.969704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.969704Z", + "id": "relationship--5598db3e-4390-40fe-8530-e8431f9226da", + "modified": "2023-10-27T20:54:34.969704Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.971759Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type remove.", + "event_id": "nfs_proc_remove", + "id": "x-mitre-sensor-mapping--72936d12-c81e-4606-98a3-764e4610e792", + "modified": "2023-10-27T20:54:34.971759Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.971759Z", + "id": "relationship--f83f7ca0-f343-4cf6-9eb8-e8ba55c2a757", + "modified": "2023-10-27T20:54:34.971759Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.972832Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type rename.", + "event_id": "nfs_proc_rename", + "id": "x-mitre-sensor-mapping--bfb142d3-693a-4aa2-b872-86483ac84f67", + "modified": "2023-10-27T20:54:34.972832Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.973473Z", + "id": "relationship--ede3fef6-e5d0-4adf-a8a7-86ebac7b9034", + "modified": "2023-10-27T20:54:34.973473Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.974121Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type rmdir.", + "event_id": "nfs_proc_rmdir", + "id": "x-mitre-sensor-mapping--f9734ad1-f6d6-4381-b0c4-b2265f49bd16", + "modified": "2023-10-27T20:54:34.974121Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.974121Z", + "id": "relationship--3f3d87c2-5f99-4e16-bd02-d3edd25a9bb1", + "modified": "2023-10-27T20:54:34.974121Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.975098Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type sattr.", + "event_id": "nfs_proc_sattr", + "id": "x-mitre-sensor-mapping--1ba230a6-9b4f-482f-8ec0-c7577ad660b9", + "modified": "2023-10-27T20:54:34.975098Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.976153Z", + "id": "relationship--69e6e30a-c056-4297-bc19-dbdb3b660492", + "modified": "2023-10-27T20:54:34.976153Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.976153Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type symlink.", + "event_id": "nfs_proc_symlink", + "id": "x-mitre-sensor-mapping--17af3a06-4684-405c-bdf7-6bc04b342099", + "modified": "2023-10-27T20:54:34.976153Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.977148Z", + "id": "relationship--41f07cf9-97bb-4845-bcb9-9002cab458b9", + "modified": "2023-10-27T20:54:34.977148Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.977148Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for NFSv3 request/reply dialogues of type write.", + "event_id": "nfs_proc_write", + "id": "x-mitre-sensor-mapping--e5165d84-42ac-42ba-9f68-7598e4801398", + "modified": "2023-10-27T20:54:34.977148Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.97814Z", + "id": "relationship--cfa9c8a8-1cdb-4375-9061-4806dc5c9bc1", + "modified": "2023-10-27T20:54:34.97814Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.979247Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each NFSv3 reply message received, reporting just the status included.", + "event_id": "nfs_reply_status", + "id": "x-mitre-sensor-mapping--c5d0d896-2705-4273-aa36-f8e04a59e9d5", + "modified": "2023-10-27T20:54:34.979247Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.979247Z", + "id": "relationship--d356c174-243f-4376-9140-f744576d2203", + "modified": "2023-10-27T20:54:34.979247Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.980332Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type callit.", + "event_id": "pm_attempt_callit", + "id": "x-mitre-sensor-mapping--1a25ab67-fccc-4ff5-89ae-3b29d092375c", + "modified": "2023-10-27T20:54:34.980332Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.980332Z", + "id": "relationship--b1533203-43ff-449d-bb30-15809399137b", + "modified": "2023-10-27T20:54:34.980332Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.981355Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type dump.", + "event_id": "pm_attempt_dump", + "id": "x-mitre-sensor-mapping--785617c1-6a1a-49b0-9145-a9df20c2abca", + "modified": "2023-10-27T20:54:34.981355Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.981355Z", + "id": "relationship--f2011621-d6e7-4da6-8ec7-828f5dd17c17", + "modified": "2023-10-27T20:54:34.981355Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.982433Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type getport.", + "event_id": "pm_attempt_getport", + "id": "x-mitre-sensor-mapping--3c075490-c85c-4e5a-92ce-2b1852c585b5", + "modified": "2023-10-27T20:54:34.982433Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.982433Z", + "id": "relationship--663fa1a3-4083-4b8a-a58a-fa3aff803579", + "modified": "2023-10-27T20:54:34.982433Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.983481Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type null.", + "event_id": "pm_attempt_null", + "id": "x-mitre-sensor-mapping--b7b972d0-1d91-44f3-93d5-5cf2671f51ba", + "modified": "2023-10-27T20:54:34.983481Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.98402Z", + "id": "relationship--aaf9d7a9-c2a3-4e3e-9e7c-5dda7c43e82b", + "modified": "2023-10-27T20:54:34.98402Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.984563Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type set.", + "event_id": "pm_attempt_set", + "id": "x-mitre-sensor-mapping--f09d2543-ae65-41c4-b168-f9a4de4f04fe", + "modified": "2023-10-27T20:54:34.984563Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.984563Z", + "id": "relationship--a9fed388-60aa-43bf-aa6c-b8045de445c3", + "modified": "2023-10-27T20:54:34.984563Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.985644Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for failed Portmapper requests of type unset.", + "event_id": "pm_attempt_unset", + "id": "x-mitre-sensor-mapping--a1e6a43f-6f6e-4c54-9f7a-45d63b41836a", + "modified": "2023-10-27T20:54:34.985644Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.986506Z", + "id": "relationship--31162424-bbcf-49d4-a49b-c1dec925ffe3", + "modified": "2023-10-27T20:54:34.986506Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.987052Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for Portmapper requests or replies that include an invalid port number.", + "event_id": "pm_bad_port", + "id": "x-mitre-sensor-mapping--38784694-0277-4ef4-8edd-7974d59e38d3", + "modified": "2023-10-27T20:54:34.987052Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.988051Z", + "id": "relationship--b621698b-75e6-461f-a27b-5336c396d44c", + "modified": "2023-10-27T20:54:34.988051Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.988051Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SIP replies, used in Voice over IP (VoIP).", + "event_id": "sip_reply", + "id": "x-mitre-sensor-mapping--6152d455-afe8-4b11-b435-f7ae1c3285f6", + "modified": "2023-10-27T20:54:34.988051Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Cloud", + "spec_version": "2.1", + "target": "Sip", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.989182Z", + "id": "relationship--9e12bad4-6024-4a0e-b6f7-d4937f5a9c8f", + "modified": "2023-10-27T20:54:34.989182Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.989182Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SIP requests, used in Voice over IP (VoIP).", + "event_id": "sip_request", + "id": "x-mitre-sensor-mapping--d310a40d-6806-4389-9131-90b58e032e06", + "modified": "2023-10-27T20:54:34.989182Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Sip", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.990278Z", + "id": "relationship--5bcfcd7d-0e22-47d3-8159-b3e92deb0f4d", + "modified": "2023-10-27T20:54:34.990278Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.990278Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DATA transmitted on SMTP sessions.", + "event_id": "smtp_data", + "id": "x-mitre-sensor-mapping--44dfd0dd-c8cb-4c58-9a74-c56176f8ceb5", + "modified": "2023-10-27T20:54:34.990278Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host, Process/User", + "spec_version": "2.1", + "target": "Smtp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.991283Z", + "id": "relationship--4e8f82f7-073a-42ee-9693-406ed1aea3cd", + "modified": "2023-10-27T20:54:34.991283Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.992296Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated if a connection switched to using TLS using STARTTLS or X-ANONYMOUSTLS.", + "event_id": "smtp_starttls", + "id": "x-mitre-sensor-mapping--5f19fb8d-4ef8-4a37-be5c-f805a2f389d3", + "modified": "2023-10-27T20:54:34.992296Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host, Process/User", + "spec_version": "2.1", + "target": "Smtp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.992296Z", + "id": "relationship--8495c280-18af-449e-a847-b017a816b6c3", + "modified": "2023-10-27T20:54:34.992296Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.993297Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SNMP GetBulkRequest-PDU message from RFC 3416.", + "event_id": "snmp_get_bulk_request", + "id": "x-mitre-sensor-mapping--18211c82-1339-46c4-9ab4-f8b5e899c27d", + "modified": "2023-10-27T20:54:34.993297Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.993297Z", + "id": "relationship--e1b258eb-fb4d-4225-a076-5327ed4cf540", + "modified": "2023-10-27T20:54:34.993297Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.994292Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SNMP GetNextRequest-PDU message from either RFC 1157 or RFC 3416.", + "event_id": "snmp_get_next_request", + "id": "x-mitre-sensor-mapping--bf99194e-2baf-49a6-bf24-1db14c471113", + "modified": "2023-10-27T20:54:34.994292Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.994292Z", + "id": "relationship--4f79459f-2796-4e13-af07-a20193a78141", + "modified": "2023-10-27T20:54:34.994292Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.995359Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SNMP InformRequest-PDU message from RFC 3416.", + "event_id": "snmp_inform_request", + "id": "x-mitre-sensor-mapping--ffbc6e41-2461-49c1-8576-aca2e5d48692", + "modified": "2023-10-27T20:54:34.995359Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host, Process", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.996358Z", + "id": "relationship--2349b0ae-8ddb-4fcc-92fa-ba8e27541aeb", + "modified": "2023-10-27T20:54:34.996358Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.996358Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SNMP GetResponse-PDU message from RFC 1157 or a Response-PDU from RFC 3416.", + "event_id": "snmp_response", + "id": "x-mitre-sensor-mapping--1377b4ee-bddf-48b2-974a-91e59d1ce626", + "modified": "2023-10-27T20:54:34.996358Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Snmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.997294Z", + "id": "relationship--13a9a09e-f9a0-4d69-b795-23d4a7c2c98b", + "modified": "2023-10-27T20:54:34.997294Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.998859Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a SOCKS reply is analyzed.", + "event_id": "socks_reply", + "id": "x-mitre-sensor-mapping--fa917952-81dd-4a66-a21d-a56da918f9d7", + "modified": "2023-10-27T20:54:34.998859Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Socks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:34.999859Z", + "id": "relationship--08959006-3c8e-41d6-9dcd-e8b3c4876bec", + "modified": "2023-10-27T20:54:34.999859Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:34.999859Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a SOCKS request is analyzed.", + "event_id": "socks_request", + "id": "x-mitre-sensor-mapping--7b11ef72-7658-44b2-b0c6-bc4a40c48d73", + "modified": "2023-10-27T20:54:34.999859Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Socks", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.001941Z", + "id": "relationship--1bed2420-4013-4cc2-99a7-38f0574da5f8", + "modified": "2023-10-27T20:54:35.001941Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.00258Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SSH Protocol Version Exchange message from the client.", + "event_id": "ssh_client_version", + "id": "x-mitre-sensor-mapping--0059f74e-b3ba-444c-b651-cf96fa7d86c1", + "modified": "2023-10-27T20:54:35.00258Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.00258Z", + "id": "relationship--16868194-159d-47b3-994b-13ac681b6470", + "modified": "2023-10-27T20:54:35.00258Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.003585Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "An SSH Protocol Version Exchange message from the server.", + "event_id": "ssh_server_version", + "id": "x-mitre-sensor-mapping--fb9bd7da-cf6b-4b66-b6b5-89aa43f8bde3", + "modified": "2023-10-27T20:54:35.003585Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.004586Z", + "id": "relationship--9a207a82-cd94-455a-ab4f-bfc0d54b0849", + "modified": "2023-10-27T20:54:35.004586Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.004586Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "This event is raised when a SSL/TLS ChangeCipherSpec message is encountered before encryption begins.", + "event_id": "ssl_change_cipher_spec", + "id": "x-mitre-sensor-mapping--6f844fdd-4d6d-485c-98f1-ffd6565f605c", + "modified": "2023-10-27T20:54:35.004586Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.005582Z", + "id": "relationship--34d10376-3656-4724-a0f5-edbe6a3334ae", + "modified": "2023-10-27T20:54:35.005582Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.006581Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS extensions seen in an initial handshake.", + "event_id": "ssl_extension", + "id": "x-mitre-sensor-mapping--524a65f9-58d0-4d9f-a25b-625c5612c75e", + "modified": "2023-10-27T20:54:35.006581Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.006581Z", + "id": "relationship--f3c008a1-0ff7-4a7a-9393-b013597adf5c", + "modified": "2023-10-27T20:54:35.006581Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.007584Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "This event is raised for each unencrypted SSL/TLS handshake message.", + "event_id": "ssl_handshake_message", + "id": "x-mitre-sensor-mapping--29c57691-ab69-4d48-8538-bfda8217b87c", + "modified": "2023-10-27T20:54:35.007584Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.008591Z", + "id": "relationship--a4406e60-2b90-4c32-b693-38a05d3f0e93", + "modified": "2023-10-27T20:54:35.008591Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.009572Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SSL/TLS heartbeat messages that are sent before session encryption starts.", + "event_id": "ssl_heartbeat", + "id": "x-mitre-sensor-mapping--c715dbd5-ff13-4215-a087-e05f9e589b8b", + "modified": "2023-10-27T20:54:35.009572Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Ssl", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.009572Z", + "id": "relationship--12c6e227-19f0-4076-9cd7-992b16aeb8fb", + "modified": "2023-10-27T20:54:35.009572Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.010586Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for an unsuccessful connection attempt.", + "event_id": "connection_attempt", + "id": "x-mitre-sensor-mapping--fc325c64-30a8-430b-acb2-7a7e32cdbdac", + "modified": "2023-10-27T20:54:35.010586Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.011601Z", + "id": "relationship--8121faba-76df-48ff-acc5-e8e9c03ea967", + "modified": "2023-10-27T20:54:35.011601Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.011601Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated at the end of reassembled TCP connections.", + "event_id": "connection_eof", + "id": "x-mitre-sensor-mapping--c60a12b3-bfc4-466f-9c4b-e87ec9d3365a", + "modified": "2023-10-27T20:54:35.011601Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.013176Z", + "id": "relationship--75173d94-149f-4286-b4a0-1a4a668afacc", + "modified": "2023-10-27T20:54:35.013176Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.013176Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for a TCP connection that finished normally.", + "event_id": "connection_finished", + "id": "x-mitre-sensor-mapping--3e7528e7-5f02-45ba-ab61-1343cf656040", + "modified": "2023-10-27T20:54:35.013176Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.014153Z", + "id": "relationship--72ce6d52-84d2-4fa7-98f4-5b28a7a01759", + "modified": "2023-10-27T20:54:35.014153Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.015146Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when one endpoint of a TCP connection attempted to gracefully close the connection, but the other endpoint is in the TCP_INACTIVE state.", + "event_id": "connection_half_finished", + "id": "x-mitre-sensor-mapping--c1d2687e-f402-4dfb-8f69-936545a4bc1e", + "modified": "2023-10-27T20:54:35.015146Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.015146Z", + "id": "relationship--bc5cb37c-a08b-4e73-b4f3-5710279f5d4b", + "modified": "2023-10-27T20:54:35.015146Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.017149Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when a previously inactive endpoint attempts to close a TCP connection via a normal FIN handshake or an abort RST sequence.", + "event_id": "connection_partial_close", + "id": "x-mitre-sensor-mapping--f8bf284b-9ee7-4419-9b36-42c5ce830dd6", + "modified": "2023-10-27T20:54:35.017149Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.017695Z", + "id": "relationship--664d2818-cf12-4d81-97bd-03c6daecd601", + "modified": "2023-10-27T20:54:35.017695Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.0187Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each still-open TCP connection when Zeek terminates.", + "event_id": "connection_pending", + "id": "x-mitre-sensor-mapping--a108932e-42fd-4e1b-87af-bb07e1f777dc", + "modified": "2023-10-27T20:54:35.0187Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.019691Z", + "id": "relationship--bface66f-7dbd-43fd-a4c4-959377cb3363", + "modified": "2023-10-27T20:54:35.019691Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.020716Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for a rejected TCP connection.", + "event_id": "connection_rejected", + "id": "x-mitre-sensor-mapping--1edd67e4-ac0a-4944-86a6-9a1c1bf642bd", + "modified": "2023-10-27T20:54:35.020716Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.020716Z", + "id": "relationship--e6e2b802-b985-4291-8941-0f427b623057", + "modified": "2023-10-27T20:54:35.020716Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.021769Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated when an endpoint aborted a TCP connection.", + "event_id": "connection_reset", + "id": "x-mitre-sensor-mapping--345656fc-dd0a-4fa5-8125-969abe256199", + "modified": "2023-10-27T20:54:35.021769Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User, Host", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.022771Z", + "id": "relationship--590c0d38-4ccc-4a73-8748-a821c3eecacf", + "modified": "2023-10-27T20:54:35.022771Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.022771Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for a new active TCP connection if Zeek did not see the initial handshake.", + "event_id": "partial_connection", + "id": "x-mitre-sensor-mapping--264556ad-bdfe-415a-9d48-9298e31608ca", + "modified": "2023-10-27T20:54:35.022771Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.023777Z", + "id": "relationship--1d978206-c97f-4525-a9ce-0431953e7214", + "modified": "2023-10-27T20:54:35.023777Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.023777Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each detected TCP segment retransmission.", + "event_id": "tcp_rexmit", + "id": "x-mitre-sensor-mapping--dbea7ab0-b5c7-42b3-b41a-4ea1f1f93674", + "modified": "2023-10-27T20:54:35.023777Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Tcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.024798Z", + "id": "relationship--e4fc1fc2-744a-4d51-9f17-631cd1e683ec", + "modified": "2023-10-27T20:54:35.024798Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.025704Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "This event is generated when an SSH connection was determined to have had an authentication attempt.", + "event_id": "ssh_auth_attempted", + "id": "x-mitre-sensor-mapping--4bf2202e-2c6e-4d8d-88bd-f0a7360abe7c", + "modified": "2023-10-27T20:54:35.025704Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ssh", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.026266Z", + "id": "relationship--1f944da1-653a-4cce-93ca-578f569440bc", + "modified": "2023-10-27T20:54:35.026266Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.026266Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for ARP requests.", + "event_id": "arp_request", + "id": "x-mitre-sensor-mapping--97d5609d-d0a5-4cab-943c-728050bdfcd3", + "modified": "2023-10-27T20:54:35.026266Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Arp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.027265Z", + "id": "relationship--8550728c-3feb-40a7-a50f-050b473b9246", + "modified": "2023-10-27T20:54:35.027265Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.028262Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for ARP replies.", + "event_id": "arp_reply", + "id": "x-mitre-sensor-mapping--a1219f50-d101-4323-94b7-94ca9abe4380", + "modified": "2023-10-27T20:54:35.028262Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Arp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.028262Z", + "id": "relationship--b83c893f-29bb-49dc-9666-00b9a949f2e4", + "modified": "2023-10-27T20:54:35.028262Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.029335Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS requests.", + "event_id": "dns_request", + "id": "x-mitre-sensor-mapping--32a33dd0-fce5-4c6b-8f3d-86e9798b39cc", + "modified": "2023-10-27T20:54:35.029335Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.029335Z", + "id": "relationship--85e55279-9cc4-444b-b2d7-baf34dc863ce", + "modified": "2023-10-27T20:54:35.029335Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.03034Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated on DNS reply resource records when the type of record is not one that Zeek knows how to parse and generate another more specific event.", + "event_id": "dns_unknown_reply", + "id": "x-mitre-sensor-mapping--8c6e28cc-b043-4438-a266-52df94a5eca1", + "modified": "2023-10-27T20:54:35.03034Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.03134Z", + "id": "relationship--67ac97a1-5908-4cb3-bfa1-6c5ed24c30c2", + "modified": "2023-10-27T20:54:35.03134Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.032254Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type A6.", + "event_id": "dns_a6_reply", + "id": "x-mitre-sensor-mapping--97f88c40-42ab-4f77-856b-55f153d17a8b", + "modified": "2023-10-27T20:54:35.032254Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.032793Z", + "id": "relationship--fe045dac-fd99-481e-919b-25704a5a3f70", + "modified": "2023-10-27T20:54:35.032793Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.033842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type AAAA.", + "event_id": "dns_AAAA_reply", + "id": "x-mitre-sensor-mapping--6de6c475-1796-45ea-8652-febf379e985a", + "modified": "2023-10-27T20:54:35.033842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.033842Z", + "id": "relationship--82329099-5ac7-4b11-ab58-efd45f65dd8b", + "modified": "2023-10-27T20:54:35.033842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.034842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type A.", + "event_id": "dns_A_reply", + "id": "x-mitre-sensor-mapping--1fb34e59-b11a-4d43-9685-15f005749cd9", + "modified": "2023-10-27T20:54:35.034842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.035842Z", + "id": "relationship--769e39e0-9a1c-4463-a12b-117e135bc360", + "modified": "2023-10-27T20:54:35.035842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.035842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type CAA (Certification Authority Authorization).", + "event_id": "dns_CAA_reply", + "id": "x-mitre-sensor-mapping--fc5af907-8a24-4c75-a106-7bd6a26354f5", + "modified": "2023-10-27T20:54:35.035842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.036842Z", + "id": "relationship--ef3941dc-ba4e-43c8-95dd-cb871ac0e7be", + "modified": "2023-10-27T20:54:35.036842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.037843Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type CNAME.", + "event_id": "dns_CNAME_reply", + "id": "x-mitre-sensor-mapping--fa31c39f-2f48-43d3-842d-f1f377c548f2", + "modified": "2023-10-27T20:54:35.037843Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.037843Z", + "id": "relationship--c6f73b27-909d-4b56-ace4-20a11c851e92", + "modified": "2023-10-27T20:54:35.037843Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.038843Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type DNSKEY.", + "event_id": "dns_DNSKEY_reply", + "id": "x-mitre-sensor-mapping--0e48135a-4355-48bd-a699-415f4541795a", + "modified": "2023-10-27T20:54:35.038843Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.038843Z", + "id": "relationship--68599ee6-5521-48b0-b5d8-f7f14d0da29f", + "modified": "2023-10-27T20:54:35.038843Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.039842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type DS.", + "event_id": "dns_DS_reply", + "id": "x-mitre-sensor-mapping--a2ec1ecd-6207-4b78-9c3c-2bfc247d9996", + "modified": "2023-10-27T20:54:35.039842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.040842Z", + "id": "relationship--fe2f5d25-9e9a-4007-b8f2-dead3f71a417", + "modified": "2023-10-27T20:54:35.040842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.040842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type EDNS.", + "event_id": "dns_EDNS_addl_reply", + "id": "x-mitre-sensor-mapping--3cc16ce9-5e53-429a-abfd-97d8e6906f41", + "modified": "2023-10-27T20:54:35.040842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.041842Z", + "id": "relationship--92508b1f-aee5-4555-8fff-2adcc0f89129", + "modified": "2023-10-27T20:54:35.041842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.042842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type EDNS.", + "event_id": "dns_EDNS_ecs_reply", + "id": "x-mitre-sensor-mapping--16de85c8-062b-41c7-b1e4-1a5f9f76f807", + "modified": "2023-10-27T20:54:35.042842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.042842Z", + "id": "relationship--5bac7719-631f-4bb6-9cb4-e5613791a0db", + "modified": "2023-10-27T20:54:35.042842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.043842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type HINFO.", + "event_id": "dns_HINFO_reply", + "id": "x-mitre-sensor-mapping--9fd1888c-ade9-4475-bceb-5406febfa89c", + "modified": "2023-10-27T20:54:35.043842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.043842Z", + "id": "relationship--f9c14a83-36fe-4ed9-a93e-935014331967", + "modified": "2023-10-27T20:54:35.043842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.044842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type MX.", + "event_id": "dns_MX_reply", + "id": "x-mitre-sensor-mapping--a5addcf6-e8d4-4990-b945-1c29f67bfc80", + "modified": "2023-10-27T20:54:35.044842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.045842Z", + "id": "relationship--7d2ed960-2ef7-4197-98fc-a348e45cf82a", + "modified": "2023-10-27T20:54:35.045842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.045842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type NSEC.", + "event_id": "dns_NSEC_reply", + "id": "x-mitre-sensor-mapping--79a79caa-13e6-49f9-be8c-a42c7e23bbd1", + "modified": "2023-10-27T20:54:35.045842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.046842Z", + "id": "relationship--1312f932-353a-4f08-9111-8e3a06352eab", + "modified": "2023-10-27T20:54:35.046842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.047844Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type NSEC3.", + "event_id": "dns_NSEC_reply", + "id": "x-mitre-sensor-mapping--336e9a93-86a9-4b7d-a5fd-181734af851d", + "modified": "2023-10-27T20:54:35.047844Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.048842Z", + "id": "relationship--b1c98350-d76e-4eb5-a4ad-b836e2a0b5c2", + "modified": "2023-10-27T20:54:35.048842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.048842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type NS.", + "event_id": "dns_NS_reply", + "id": "x-mitre-sensor-mapping--1b3d866d-b2a9-48c9-abb0-da41576dc104", + "modified": "2023-10-27T20:54:35.048842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.049842Z", + "id": "relationship--ce4d4ebe-4403-4cc3-b7e7-64f1e2e15543", + "modified": "2023-10-27T20:54:35.049842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.050841Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type PTR.", + "event_id": "dns_PTR_reply", + "id": "x-mitre-sensor-mapping--ead230b8-eafb-49ca-8603-eb6894abc929", + "modified": "2023-10-27T20:54:35.050841Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.050841Z", + "id": "relationship--d2429374-9508-4dbf-9b8d-e2118e98ddcc", + "modified": "2023-10-27T20:54:35.050841Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.051842Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type RRSIG.", + "event_id": "dns_RRSIG_reply", + "id": "x-mitre-sensor-mapping--c51079ce-fc83-4fd8-b1bd-ad17e15605c4", + "modified": "2023-10-27T20:54:35.051842Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.051842Z", + "id": "relationship--c44697e2-f50f-4e12-b3b9-47174778a638", + "modified": "2023-10-27T20:54:35.051842Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.052843Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type SOA.", + "event_id": "dns_SOA_reply", + "id": "x-mitre-sensor-mapping--39c5f5e6-7860-4961-abdd-db50a6ae58be", + "modified": "2023-10-27T20:54:35.052843Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.053846Z", + "id": "relationship--28253ecb-3a57-4f2e-aaf5-f8cca91558eb", + "modified": "2023-10-27T20:54:35.053846Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.053846Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type SPF.", + "event_id": "dns_SPF_reply", + "id": "x-mitre-sensor-mapping--9ac7665f-6df1-4c89-88ea-76120a535a73", + "modified": "2023-10-27T20:54:35.053846Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.05587Z", + "id": "relationship--d3ffebf7-054b-4bc9-a196-064792b6dd62", + "modified": "2023-10-27T20:54:35.05587Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.056844Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type SRV.", + "event_id": "dns_SRV_reply", + "id": "x-mitre-sensor-mapping--95f0513a-8e29-4c0a-997a-a33e40deacc5", + "modified": "2023-10-27T20:54:35.056844Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.057852Z", + "id": "relationship--1bce2d1c-5f3b-4c59-a828-a6ae6078fbda", + "modified": "2023-10-27T20:54:35.057852Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.05894Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type TSIG.", + "event_id": "dns_TSIG_reply", + "id": "x-mitre-sensor-mapping--f5a66ea6-f1b4-41d9-8e01-1afcc1aa2729", + "modified": "2023-10-27T20:54:35.05894Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.059845Z", + "id": "relationship--aaddce76-a5f1-40f9-b681-23a5f92fdcea", + "modified": "2023-10-27T20:54:35.059845Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.061368Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type TXT.", + "event_id": "dns_TXT_reply", + "id": "x-mitre-sensor-mapping--8bddc316-8d39-4fc9-9608-35b3d5007fa2", + "modified": "2023-10-27T20:54:35.061368Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.061368Z", + "id": "relationship--08149d2d-076e-46e8-bb59-59dbeda6aa06", + "modified": "2023-10-27T20:54:35.061368Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.062366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for DNS replies of type WKS.", + "event_id": "dns_WKS_reply", + "id": "x-mitre-sensor-mapping--70dbfd87-8c6b-4d37-b55a-ffad5f9209bb", + "modified": "2023-10-27T20:54:35.062366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dns", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.063369Z", + "id": "relationship--e99116d7-017d-429a-bbba-658ab29b554e", + "modified": "2023-10-27T20:54:35.063369Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.064367Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for client-side FTP commands.", + "event_id": "ftp_request", + "id": "x-mitre-sensor-mapping--3e8368e4-2270-4346-b37d-e7f41ea09fe2", + "modified": "2023-10-27T20:54:35.064367Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Ftp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.065371Z", + "id": "relationship--f2312f56-8f83-4596-9af8-1cd744cd5ed9", + "modified": "2023-10-27T20:54:35.065371Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.065371Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for server-side FTP replies.", + "event_id": "ftp_reply", + "id": "x-mitre-sensor-mapping--826ea1ff-9b89-4606-ba30-a05350b5235d", + "modified": "2023-10-27T20:54:35.065371Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Ftp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.066373Z", + "id": "relationship--6ceae0bd-9891-47df-9a15-6d37237acebc", + "modified": "2023-10-27T20:54:35.066373Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.067367Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type close.", + "event_id": "smb2_close_response", + "id": "x-mitre-sensor-mapping--ae304fbd-4395-4134-abab-88d0c70f332b", + "modified": "2023-10-27T20:54:35.067367Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.067367Z", + "id": "relationship--545a4c68-9884-4379-8efd-0ea48b0c92de", + "modified": "2023-10-27T20:54:35.067367Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.068366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for SMB/CIFS version 2 responses of type create.", + "event_id": "smb2_create_response", + "id": "x-mitre-sensor-mapping--63a7e1d5-2b34-45f9-9343-9e32210bde42", + "modified": "2023-10-27T20:54:35.068366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Smb2", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.069366Z", + "id": "relationship--208789e7-4b46-4d91-b868-31d47d22c692", + "modified": "2023-10-27T20:54:35.069366Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.069366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for client-side commands on POP3 connections.", + "event_id": "pop3_request", + "id": "x-mitre-sensor-mapping--26bd5143-39bf-41b9-a7e5-ba6e87d7e08a", + "modified": "2023-10-27T20:54:35.069366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.070366Z", + "id": "relationship--66423d28-6dd2-401b-bbd8-ea381b99b34e", + "modified": "2023-10-27T20:54:35.070366Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.071366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for server-side replies to commands on POP3 connections.", + "event_id": "pop3_reply", + "id": "x-mitre-sensor-mapping--3e81c58f-1299-4424-bcba-be6de72c412b", + "modified": "2023-10-27T20:54:35.071366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Pop3", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.071366Z", + "id": "relationship--7fb68302-7d68-41dd-a0da-1e528a2af4fc", + "modified": "2023-10-27T20:54:35.071366Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.072366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for client-side SMTP commands.", + "event_id": "smtp_request", + "id": "x-mitre-sensor-mapping--02415b7c-d22d-47b7-97e1-187ad8c81b23", + "modified": "2023-10-27T20:54:35.072366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Smtp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.073367Z", + "id": "relationship--8532700e-742c-4014-9e4f-7e18cd212300", + "modified": "2023-10-27T20:54:35.073367Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.073367Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for server-side SMTP commands.", + "event_id": "smtp_reply", + "id": "x-mitre-sensor-mapping--53827a76-bb5a-4ff8-8bd5-ff173343b49f", + "modified": "2023-10-27T20:54:35.073367Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Smtp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.074366Z", + "id": "relationship--978779f9-915b-437a-a83c-df9e6fe9f86a", + "modified": "2023-10-27T20:54:35.074366Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.075366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for all DHCP messages.", + "event_id": "dhcp_message", + "id": "x-mitre-sensor-mapping--839940fc-a7f3-4e30-8a40-833b1d5f7cbe", + "modified": "2023-10-27T20:54:35.075366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Dhcp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.075366Z", + "id": "relationship--ceb3be53-fbde-446c-a7e8-5935de591234", + "modified": "2023-10-27T20:54:35.075366Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.077367Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for ICMP echo request messages.", + "event_id": "icmp_echo_request", + "id": "x-mitre-sensor-mapping--214d82f8-0a52-4da1-84b4-aaaaaf51a01c", + "modified": "2023-10-27T20:54:35.077367Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Command Execution", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.077367Z", + "id": "relationship--b4d031bf-5596-418d-85cb-e8a6b8cebaac", + "modified": "2023-10-27T20:54:35.077367Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.079369Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for ICMP echo reply messages.", + "event_id": "icmp_echo_reply", + "id": "x-mitre-sensor-mapping--690d4e53-bab7-49a6-b6e5-cad0c6a620ac", + "modified": "2023-10-27T20:54:35.079369Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Command Execution", + "spec_version": "2.1", + "target": "Icmp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.080369Z", + "id": "relationship--3d0313da-c017-49ae-9477-b232079f910e", + "modified": "2023-10-27T20:54:35.080369Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.080369Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC request message.", + "event_id": "dce_rpc_request", + "id": "x-mitre-sensor-mapping--55ad195b-b3d4-4872-bacd-af4e6feefa37", + "modified": "2023-10-27T20:54:35.080369Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.081366Z", + "id": "relationship--e910e475-5f86-4fb9-be4d-010d87bc5cd3", + "modified": "2023-10-27T20:54:35.081366Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.082366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for every DCE-RPC reply message.", + "event_id": "dce_rpc_reply", + "id": "x-mitre-sensor-mapping--e58ba889-cb99-421e-8d5e-a09039566e27", + "modified": "2023-10-27T20:54:35.082366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process", + "spec_version": "2.1", + "target": "Rpc", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.082366Z", + "id": "relationship--c04ac5d0-806f-476f-9280-12cb12baaa4e", + "modified": "2023-10-27T20:54:35.082366Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.083366Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for HTTP requests.", + "event_id": "http_request", + "id": "x-mitre-sensor-mapping--fd8e8b49-3f2a-42b5-b267-10960d78135a", + "modified": "2023-10-27T20:54:35.083366Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Process/User", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.084375Z", + "id": "relationship--e5f1b1e3-e926-40e1-9b09-f4dc1021e10a", + "modified": "2023-10-27T20:54:35.084375Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.085415Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for HTTP replies.", + "event_id": "http_reply", + "id": "x-mitre-sensor-mapping--3344aef6-55c0-4c54-9a63-e0485dcf17c5", + "modified": "2023-10-27T20:54:35.085415Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Host", + "spec_version": "2.1", + "target": "Http", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.086387Z", + "id": "relationship--264763ff-787f-48db-a298-a4fafed72c04", + "modified": "2023-10-27T20:54:35.086387Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.086387Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each packet sent by a UDP flow’s responder.", + "event_id": "udp_reply", + "id": "x-mitre-sensor-mapping--52fa68dd-9f4b-467b-b2ee-0952e2373d23", + "modified": "2023-10-27T20:54:35.086387Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Udp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.087379Z", + "id": "relationship--1a6dfb14-a90c-49b2-9976-52b0d4a04cca", + "modified": "2023-10-27T20:54:35.087379Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + }, + { + "created": "2023-10-27T20:54:35.088386Z", + "data_component": "Network Traffic Flow", + "data_source": "Network Traffic", + "description": "Generated for each packet sent by a UDP flow’s originator.", + "event_id": "udp_request", + "id": "x-mitre-sensor-mapping--96f5ac67-c0bc-4b99-981d-e926fd356b04", + "modified": "2023-10-27T20:54:35.088386Z", + "relationship": "Communicate Through", + "revoked": false, + "source": "Service", + "spec_version": "2.1", + "target": "Udp", + "type": "x-mitre-sensor-mapping", + "x_mitre_data_source_id": "DS0029" + }, + { + "created": "2023-10-27T20:54:35.088386Z", + "id": "relationship--a71a0066-e256-43dd-9414-85193160a991", + "modified": "2023-10-27T20:54:35.088386Z", + "relationship_type": "Communicate Through", + "revoked": false, + "source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "spec_version": "2.1", + "target_ref": "x-mitre-data-component--77af96d1-c44e-4b3b-9b88-de4364a1dfaa", + "type": "relationship" + } + ], + "type": "bundle" +} \ No newline at end of file diff --git a/mappings/stix/layers/enterprise/Auditd-heatmap.json b/mappings/stix/layers/enterprise/Auditd-heatmap.json new file mode 100644 index 0000000..a52ee39 --- /dev/null +++ b/mappings/stix/layers/enterprise/Auditd-heatmap.json @@ -0,0 +1,832 @@ +{ + "name": "Auditd", + "versions": { + "navigator": "4.8.2", + "layer": "4.4", + "attack": "13" + }, + "sorting": 0, + "description": "", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1047", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1113", + "score": 1, + "comment": "Auditd: USYS_CONFIG" + }, + { + "techniqueID": "T1037", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1033", + "score": 1, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1003", + "score": 1, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1006", + "score": 1, + "comment": "Auditd: USYS_CONFIG" + }, + { + "techniqueID": "T1123", + "score": 1, + "comment": "Auditd: USYS_CONFIG" + }, + { + "techniqueID": "T1543", + "score": 1, + "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1069", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1114", + "score": 1, + "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG" + }, + { + "techniqueID": "T1561", + "score": 1, + "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1615", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1025", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1547", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1489", + "score": 1, + "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG" + }, + { + "techniqueID": "T1652", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1564", + "score": 1, + "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, CRED_ACQ, CRED_DISP, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CHAUTHTOK, USER_CMD, USER_ERR, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1137", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1119", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1115", + "score": 1, + "comment": "Auditd: USYS_CONFIG" + }, + { + "techniqueID": "T1007", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1040", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1135", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1120", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1082", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1053", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1176", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1202", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1005", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1562", + "score": 1, + "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, NETFILTER_CFG, SELINUX_ERR, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USER_TTY, USYS_CONFIG" + }, + { + "techniqueID": "T1558", + "score": 1, + "comment": "Auditd: ANOM_LINK, CRYPTO_KEY_USER, LOGIN, USER_AVC, USER_END, USER_LOGOUT, USYS_CONFIG" + }, + { + "techniqueID": "T1555", + "score": 1, + "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1567", + "score": 1, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1036", + "score": 1, + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, SELINUX_ERR, USER_LABELED_EXPORT, USER_TTY, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1552", + "score": 1, + "comment": "Auditd: ANOM_LINK, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1218", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1010", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1011", + "score": 1, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1560", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1021", + "score": 1, + "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG" + }, + { + "techniqueID": "T1112", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1563", + "score": 1, + "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG" + }, + { + "techniqueID": "T1217", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1222", + "score": 1, + "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1548", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1125", + "score": 1, + "comment": "Auditd: USYS_CONFIG" + }, + { + "techniqueID": "T1016", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1087", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1059", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1482", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1020", + "score": 1, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1070", + "score": 1, + "comment": "Auditd: ANOM_DEL_ACCOUNT, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, DEL_USER, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, NETFILTER_CFG, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_CMD, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1609", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1083", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1647", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1074", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1649", + "score": 1, + "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG" + }, + { + "techniqueID": "T1049", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1542", + "score": 1, + "comment": "Auditd: FS_RELABEL, USYS_CONFIG" + }, + { + "techniqueID": "T1497", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1480", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1204", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1057", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1041", + "score": 1, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1098", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG" + }, + { + "techniqueID": "T1048", + "score": 1, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1110", + "score": 1, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USYS_CONFIG" + }, + { + "techniqueID": "T1039", + "score": 1, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG" + }, + { + "techniqueID": "T1574", + "score": 1, + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG" + }, + { + "techniqueID": "T1027", + "score": 1, + "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1201", + "score": 1, + "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG" + }, + { + "techniqueID": "T1546", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1486", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1553", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1570", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG" + }, + { + "techniqueID": "T1012", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1614", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1197", + "score": 1, + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG" + }, + { + "techniqueID": "T1496", + "score": 1, + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1569", + "score": 1, + "comment": "Auditd: DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1485", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1651", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1134", + "score": 1, + "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG" + }, + { + "techniqueID": "T1136", + "score": 1, + "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG" + }, + { + "techniqueID": "T1018", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1046", + "score": 1, + "comment": "Auditd: USYS_CONFIG" + }, + { + "techniqueID": "T1518", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1622", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1052", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1484", + "score": 1, + "comment": "Auditd: USYS_CONFIG" + }, + { + "techniqueID": "T1124", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1490", + "score": 1, + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CHAUTHTOK, USER_CMD, USER_TTY, USYS_CONFIG" + }, + { + "techniqueID": "T1216", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1127", + "score": 1, + "comment": "Auditd: USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1529", + "score": 1, + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG" + }, + { + "techniqueID": "T1014", + "score": 1, + "comment": "Auditd: FS_RELABEL, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE" + }, + { + "techniqueID": "T1539", + "score": 1, + "comment": "Auditd: ANOM_LINK, TTY, USER_AVC" + }, + { + "techniqueID": "T1091", + "score": 1, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD" + }, + { + "techniqueID": "T1187", + "score": 1, + "comment": "Auditd: ANOM_LINK, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_AVC" + }, + { + "techniqueID": "T1554", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT" + }, + { + "techniqueID": "T1565", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT" + }, + { + "techniqueID": "T1195", + "score": 1, + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT" + }, + { + "techniqueID": "T1055", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, TTY, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT" + }, + { + "techniqueID": "T1600", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE" + }, + { + "techniqueID": "T1080", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD" + }, + { + "techniqueID": "T1140", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD" + }, + { + "techniqueID": "T1491", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1601", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE" + }, + { + "techniqueID": "T1056", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD" + }, + { + "techniqueID": "T1505", + "score": 1, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CMD" + }, + { + "techniqueID": "T1556", + "score": 1, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, TTY, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_LOGIN, USER_ROLE_CHANGE, USER_START" + }, + { + "techniqueID": "T1499", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN" + }, + { + "techniqueID": "T1498", + "score": 1, + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN" + }, + { + "techniqueID": "T1550", + "score": 1, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START" + }, + { + "techniqueID": "T1185", + "score": 1, + "comment": "Auditd: CRYPTO_SESSION, TTY, USER_LOGIN, USER_START" + }, + { + "techniqueID": "T1606", + "score": 1, + "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START" + }, + { + "techniqueID": "T1621", + "score": 1, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START" + }, + { + "techniqueID": "T1199", + "score": 1, + "comment": "Auditd: CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGIN, USER_LOGOUT, USER_START" + }, + { + "techniqueID": "T1078", + "score": 1, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START" + }, + { + "techniqueID": "T1213", + "score": 1, + "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START" + }, + { + "techniqueID": "T1538", + "score": 1, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START" + }, + { + "techniqueID": "T1133", + "score": 1, + "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGOUT" + }, + { + "techniqueID": "T1557", + "score": 1, + "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1602", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1071", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1190", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1219", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD" + }, + { + "techniqueID": "T1205", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD" + }, + { + "techniqueID": "T1572", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1589", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1207", + "score": 1, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, MAC_UNLBL_ALLOW, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH" + }, + { + "techniqueID": "T1595", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1090", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1568", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1612", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1586", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1102", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1210", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1534", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1566", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1001", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1571", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1599", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1573", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1095", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1132", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1598", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1585", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1537", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1189", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD" + }, + { + "techniqueID": "T1221", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD" + }, + { + "techniqueID": "T1105", + "score": 1, + "comment": "Auditd: MAC_UNLBL_ALLOW" + }, + { + "techniqueID": "T1559", + "score": 1, + "comment": "Auditd: TTY, USER_CMD" + }, + { + "techniqueID": "T1611", + "score": 1, + "comment": "Auditd: USER_CMD" + }, + { + "techniqueID": "T1072", + "score": 1, + "comment": "Auditd: USER_CMD" + }, + { + "techniqueID": "T1212", + "score": 1, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CMD" + }, + { + "techniqueID": "T1068", + "score": 1, + "comment": "Auditd: USER_CMD" + }, + { + "techniqueID": "T1203", + "score": 1, + "comment": "Auditd: USER_CMD" + }, + { + "techniqueID": "T1220", + "score": 1, + "comment": "Auditd: USER_CMD" + }, + { + "techniqueID": "T1211", + "score": 1, + "comment": "Auditd: USER_CMD" + }, + { + "techniqueID": "T1531", + "score": 1, + "comment": "Auditd: ANOM_DEL_ACCOUNT, DEL_USER, USER_CHAUTHTOK, USER_ROLE_CHANGE" + }, + { + "techniqueID": "T1528", + "score": 1, + "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE" + } + ], + "gradient": { + "colors": [ + "#ff6666", + "#ffe766ff", + "#8ec843" + ], + "minValue": 0, + "maxValue": 1 + } +} \ No newline at end of file diff --git a/mappings/stix/layers/enterprise/CloudTrail-heatmap.json b/mappings/stix/layers/enterprise/CloudTrail-heatmap.json new file mode 100644 index 0000000..e546d16 --- /dev/null +++ b/mappings/stix/layers/enterprise/CloudTrail-heatmap.json @@ -0,0 +1,232 @@ +{ + "name": "CloudTrail", + "versions": { + "navigator": "4.8.2", + "layer": "4.4", + "attack": "13" + }, + "sorting": 0, + "description": "", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1033", + "score": 1, + "comment": "CloudTrail: GetOpenIDConnectProvider" + }, + { + "techniqueID": "T1003", + "score": 1, + "comment": "CloudTrail: GetOpenIDConnectProvider" + }, + { + "techniqueID": "T1615", + "score": 1, + "comment": "CloudTrail: GetOpenIDConnectProvider" + }, + { + "techniqueID": "T1207", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider" + }, + { + "techniqueID": "T1484", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, DeleteOpenIDConnectProvider, DeleteSAMLProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider" + }, + { + "techniqueID": "T1037", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider" + }, + { + "techniqueID": "T1222", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider" + }, + { + "techniqueID": "T1649", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider" + }, + { + "techniqueID": "T1098", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, AddUserToGroup, AttachGroupPolicy, RemoveClientIDFromOpenIDConnectProvider, RemoveUserFromGroup, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateGroup, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate" + }, + { + "techniqueID": "T1531", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, DeleteUser, RemoveClientIDFromOpenIDConnectProvider, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate" + }, + { + "techniqueID": "T1134", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider" + }, + { + "techniqueID": "T1556", + "score": 1, + "comment": "CloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, SetSecurityTokenPreferences, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate" + }, + { + "techniqueID": "T1562", + "score": 1, + "comment": "CloudTrail: SetSecurityTokenPreferences, StopLogging, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate" + }, + { + "techniqueID": "T1069", + "score": 1, + "comment": "CloudTrail: DeleteGroupPolicy, DetachGroupPolicy, GetContextKeysForPrincipalPolicy, GetGroupPolicy, ListAttachedGroupPolicies, ListEntitiesForPolicy, ListGroupPolicies, ListGroups, ListGroupsForUser, ListPoliciesGrantingServiceAccess, PutGroupPolicy" + }, + { + "techniqueID": "T1525", + "score": 1, + "comment": "CloudTrail: CreateImage, ModifyImageAttribute" + }, + { + "techniqueID": "T1612", + "score": 1, + "comment": "CloudTrail: CreateImage" + }, + { + "techniqueID": "T1204", + "score": 1, + "comment": "CloudTrail: CreateImage, RunInstances, StartInstances" + }, + { + "techniqueID": "T1578", + "score": 1, + "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, CreateSnapshot, CreateVolume, DeleteInstanceProfile, DeleteSnapshot, DetachVolume, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, ModifySnapshotAttribute, ModifyVolume, RemoveRoleFromInstanceProfile, RunInstances, StartInstances, StopInstances, TagInstanceProfile, UntagInstanceProfile" + }, + { + "techniqueID": "T1535", + "score": 1, + "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile" + }, + { + "techniqueID": "T1114", + "score": 1, + "comment": "CloudTrail: ConsoleLogin" + }, + { + "techniqueID": "T1550", + "score": 1, + "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice" + }, + { + "techniqueID": "T1185", + "score": 1, + "comment": "CloudTrail: ConsoleLogin" + }, + { + "techniqueID": "T1021", + "score": 1, + "comment": "CloudTrail: ConsoleLogin" + }, + { + "techniqueID": "T1563", + "score": 1, + "comment": "CloudTrail: ConsoleLogin" + }, + { + "techniqueID": "T1606", + "score": 1, + "comment": "CloudTrail: ConsoleLogin" + }, + { + "techniqueID": "T1621", + "score": 1, + "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice" + }, + { + "techniqueID": "T1199", + "score": 1, + "comment": "CloudTrail: ConsoleLogin" + }, + { + "techniqueID": "T1078", + "score": 1, + "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice" + }, + { + "techniqueID": "T1213", + "score": 1, + "comment": "CloudTrail: ConsoleLogin" + }, + { + "techniqueID": "T1538", + "score": 1, + "comment": "CloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice" + }, + { + "techniqueID": "T1537", + "score": 1, + "comment": "CloudTrail: CreateSnapshot, ModifySnapshotAttribute" + }, + { + "techniqueID": "T1485", + "score": 1, + "comment": "CloudTrail: DeleteSnapshot" + }, + { + "techniqueID": "T1490", + "score": 1, + "comment": "CloudTrail: DeleteSnapshot" + }, + { + "techniqueID": "T1552", + "score": 1, + "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice" + }, + { + "techniqueID": "T1070", + "score": 1, + "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteUser, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice" + }, + { + "techniqueID": "T1212", + "score": 1, + "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice" + }, + { + "techniqueID": "T1110", + "score": 1, + "comment": "CloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice" + }, + { + "techniqueID": "T1564", + "score": 1, + "comment": "CloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, CreateUser, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole" + }, + { + "techniqueID": "T1136", + "score": 1, + "comment": "CloudTrail: CreateUser" + }, + { + "techniqueID": "T1201", + "score": 1, + "comment": "CloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole" + }, + { + "techniqueID": "T1528", + "score": 1, + "comment": "CloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate" + }, + { + "techniqueID": "T1611", + "score": 1, + "comment": "CloudTrail: DetachVolume, ModifyVolume" + } + ], + "gradient": { + "colors": [ + "#ff6666", + "#ffe766ff", + "#8ec843" + ], + "minValue": 0, + "maxValue": 1 + } +} \ No newline at end of file diff --git a/mappings/stix/layers/enterprise/OSQuery-heatmap.json b/mappings/stix/layers/enterprise/OSQuery-heatmap.json new file mode 100644 index 0000000..aeeeb91 --- /dev/null +++ b/mappings/stix/layers/enterprise/OSQuery-heatmap.json @@ -0,0 +1,822 @@ +{ + "name": "OSQuery", + "versions": { + "navigator": "4.8.2", + "layer": "4.4", + "attack": "13" + }, + "sorting": 0, + "description": "", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1033", + "score": 1, + "comment": "OSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist" + }, + { + "techniqueID": "T1003", + "score": 1, + "comment": "OSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist" + }, + { + "techniqueID": "T1615", + "score": 1, + "comment": "OSQuery: managed_policies, powershell_events, running_apps, socket_events" + }, + { + "techniqueID": "T1557", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1133", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1069", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, groups, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_groups" + }, + { + "techniqueID": "T1114", + "score": 1, + "comment": "OSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions" + }, + { + "techniqueID": "T1594", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions" + }, + { + "techniqueID": "T1564", + "score": 1, + "comment": "OSQuery: account_policy_data, authenticode, authorizations, authorized_keys, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, safari_extensions, shadow, shimcache, signature, suid_bin, user_ssh_keys" + }, + { + "techniqueID": "T1137", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions" + }, + { + "techniqueID": "T1190", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1552", + "score": 1, + "comment": "OSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, running_apps, safari_extensions, startup_items, user_events, userassist" + }, + { + "techniqueID": "T1550", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events" + }, + { + "techniqueID": "T1610", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions" + }, + { + "techniqueID": "T1491", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1070", + "score": 1, + "comment": "OSQuery: alf_exceptions, authenticode, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, process_file_events, quicklook_cache, running_apps, safari_extensions, shimcache, signature, socket_events, suid_bin, user_events" + }, + { + "techniqueID": "T1649", + "score": 1, + "comment": "OSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, safari_extensions, startup_items, userassist" + }, + { + "techniqueID": "T1204", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events" + }, + { + "techniqueID": "T1072", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions" + }, + { + "techniqueID": "T1621", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, user_events" + }, + { + "techniqueID": "T1212", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_events" + }, + { + "techniqueID": "T1210", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1534", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1199", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1048", + "score": 1, + "comment": "OSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions, socket_events" + }, + { + "techniqueID": "T1566", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1110", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events" + }, + { + "techniqueID": "T1203", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions" + }, + { + "techniqueID": "T1499", + "score": 1, + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports" + }, + { + "techniqueID": "T1598", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events" + }, + { + "techniqueID": "T1213", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions" + }, + { + "techniqueID": "T1200", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, usb_devices" + }, + { + "techniqueID": "T1505", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events" + }, + { + "techniqueID": "T1189", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events" + }, + { + "techniqueID": "T1622", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions" + }, + { + "techniqueID": "T1648", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions" + }, + { + "techniqueID": "T1556", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events" + }, + { + "techniqueID": "T1211", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions" + }, + { + "techniqueID": "T1588", + "score": 1, + "comment": "OSQuery: certificates" + }, + { + "techniqueID": "T1006", + "score": 1, + "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives" + }, + { + "techniqueID": "T1561", + "score": 1, + "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups" + }, + { + "techniqueID": "T1092", + "score": 1, + "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, usb_devices" + }, + { + "techniqueID": "T1091", + "score": 1, + "comment": "OSQuery: augeas, file_events, office_mru, plist, running_apps, usb_devices" + }, + { + "techniqueID": "T1052", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, running_apps, usb_devices" + }, + { + "techniqueID": "T1014", + "score": 1, + "comment": "OSQuery: file_events, time_machine_backups" + }, + { + "techniqueID": "T1542", + "score": 1, + "comment": "OSQuery: bitlocker_info, drivers, iokit_devicetree, iokit_registry, time_machine_backups" + }, + { + "techniqueID": "T1539", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist" + }, + { + "techniqueID": "T1025", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist" + }, + { + "techniqueID": "T1119", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, powershell_events" + }, + { + "techniqueID": "T1005", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, powershell_events, running_apps" + }, + { + "techniqueID": "T1558", + "score": 1, + "comment": "OSQuery: augeas, last, logged_in_users, logon_sessions, office_mru, plist" + }, + { + "techniqueID": "T1555", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, running_apps" + }, + { + "techniqueID": "T1567", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, socket_events" + }, + { + "techniqueID": "T1011", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, socket_events" + }, + { + "techniqueID": "T1217", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, running_apps" + }, + { + "techniqueID": "T1087", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, running_apps" + }, + { + "techniqueID": "T1020", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, powershell_events, socket_events" + }, + { + "techniqueID": "T1074", + "score": 1, + "comment": "OSQuery: augeas, file_events, office_mru, plist" + }, + { + "techniqueID": "T1041", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, socket_events" + }, + { + "techniqueID": "T1039", + "score": 1, + "comment": "OSQuery: augeas, mounts, nfs_shares, office_mru, plist, shared_folders, sharing_preferences, socket_events" + }, + { + "techniqueID": "T1187", + "score": 1, + "comment": "OSQuery: augeas, file_events, office_mru, plist, socket_events" + }, + { + "techniqueID": "T1018", + "score": 1, + "comment": "OSQuery: augeas, office_mru, plist, running_apps" + }, + { + "techniqueID": "T1037", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1543", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1547", + "score": 1, + "comment": "OSQuery: authorization_mechanisms, fbsd_kmods, file_events, kernel_modules, running_apps" + }, + { + "techniqueID": "T1080", + "score": 1, + "comment": "OSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences" + }, + { + "techniqueID": "T1053", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1176", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1218", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1560", + "score": 1, + "comment": "OSQuery: file_events, powershell_events, running_apps" + }, + { + "techniqueID": "T1554", + "score": 1, + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin" + }, + { + "techniqueID": "T1565", + "score": 1, + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, socket_events, suid_bin" + }, + { + "techniqueID": "T1574", + "score": 1, + "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps" + }, + { + "techniqueID": "T1027", + "score": 1, + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers" + }, + { + "techniqueID": "T1546", + "score": 1, + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers" + }, + { + "techniqueID": "T1486", + "score": 1, + "comment": "OSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences" + }, + { + "techniqueID": "T1570", + "score": 1, + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, mounts, nfs_shares, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shared_folders, sharing_preferences, shimcache, signature, socket_events, suid_bin" + }, + { + "techniqueID": "T1496", + "score": 1, + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, file_events, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports" + }, + { + "techniqueID": "T1105", + "score": 1, + "comment": "OSQuery: file_events, socket_events" + }, + { + "techniqueID": "T1485", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1490", + "score": 1, + "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps" + }, + { + "techniqueID": "T1195", + "score": 1, + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, authenticode, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, event_taps, extended_attributes, fan_speed_sensors, file, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, magic, mdfind, mdls, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, ntfs_acl_permissions, ntfs_journal_events, os_version, package_bom, patches, portage_keywords, portage_packages, portage_use, preferences, process_file_events, programs, python_packages, quicklook_cache, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, shimcache, signature, sip_config, sudoers, suid_bin, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports" + }, + { + "techniqueID": "T1036", + "score": 1, + "comment": "OSQuery: authenticode, background_activities_moderator, crontab, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, gatekeeper, gatekeeper_apps, launchd, launchd_overrides, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, sandboxes, shimcache, signature, suid_bin" + }, + { + "techniqueID": "T1055", + "score": 1, + "comment": "OSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, shimcache, signature, suid_bin" + }, + { + "techniqueID": "T1222", + "score": 1, + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin" + }, + { + "techniqueID": "T1548", + "score": 1, + "comment": "OSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, running_apps, shimcache, signature, suid_bin" + }, + { + "techniqueID": "T1553", + "score": 1, + "comment": "OSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin" + }, + { + "techniqueID": "T1600", + "score": 1, + "comment": "OSQuery: file_events" + }, + { + "techniqueID": "T1489", + "score": 1, + "comment": "OSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps" + }, + { + "techniqueID": "T1140", + "score": 1, + "comment": "OSQuery: file_events, powershell_events, running_apps" + }, + { + "techniqueID": "T1647", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1098", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1601", + "score": 1, + "comment": "OSQuery: file_events" + }, + { + "techniqueID": "T1056", + "score": 1, + "comment": "OSQuery: background_activities_moderator, file_events, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps" + }, + { + "techniqueID": "T1569", + "score": 1, + "comment": "OSQuery: file_events, running_apps" + }, + { + "techniqueID": "T1518", + "score": 1, + "comment": "OSQuery: alf, alf_explicit_auths, iptables, running_apps" + }, + { + "techniqueID": "T1562", + "score": 1, + "comment": "OSQuery: alf_exceptions, app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, gatekeeper, gatekeeper_apps, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, powershell_events, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports" + }, + { + "techniqueID": "T1498", + "score": 1, + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports" + }, + { + "techniqueID": "T1529", + "score": 1, + "comment": "OSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports" + }, + { + "techniqueID": "T1525", + "score": 1, + "comment": "OSQuery: sandboxes" + }, + { + "techniqueID": "T1611", + "score": 1, + "comment": "OSQuery: authorization_mechanisms, fbsd_kmods, kernel_modules, running_apps" + }, + { + "techniqueID": "T1078", + "score": 1, + "comment": "OSQuery: last, logged_in_users, logon_sessions, user_events" + }, + { + "techniqueID": "T1021", + "score": 1, + "comment": "OSQuery: mounts, nfs_shares, running_apps, shared_folders, sharing_preferences" + }, + { + "techniqueID": "T1602", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1071", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1219", + "score": 1, + "comment": "OSQuery: running_apps, socket_events" + }, + { + "techniqueID": "T1205", + "score": 1, + "comment": "OSQuery: running_apps, socket_events" + }, + { + "techniqueID": "T1572", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1589", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1207", + "score": 1, + "comment": "OSQuery: socket_events, user_events" + }, + { + "techniqueID": "T1563", + "score": 1, + "comment": "OSQuery: running_apps, socket_events" + }, + { + "techniqueID": "T1595", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1090", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1482", + "score": 1, + "comment": "OSQuery: powershell_events, running_apps, socket_events" + }, + { + "techniqueID": "T1568", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1612", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1586", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1102", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1001", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1571", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1599", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1573", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1095", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1132", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1585", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1537", + "score": 1, + "comment": "OSQuery: socket_events" + }, + { + "techniqueID": "T1221", + "score": 1, + "comment": "OSQuery: running_apps, socket_events" + }, + { + "techniqueID": "T1047", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1652", + "score": 1, + "comment": "OSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist" + }, + { + "techniqueID": "T1007", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1040", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1135", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1120", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1082", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1202", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1010", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1112", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1016", + "score": 1, + "comment": "OSQuery: powershell_events, running_apps" + }, + { + "techniqueID": "T1059", + "score": 1, + "comment": "OSQuery: background_activities_moderator, package_receipts, powershell_events, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps" + }, + { + "techniqueID": "T1609", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1083", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1049", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1497", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1480", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1057", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1559", + "score": 1, + "comment": "OSQuery: powershell_events, running_apps" + }, + { + "techniqueID": "T1068", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1201", + "score": 1, + "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, running_apps, shadow, user_ssh_keys" + }, + { + "techniqueID": "T1012", + "score": 1, + "comment": "OSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist" + }, + { + "techniqueID": "T1614", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1197", + "score": 1, + "comment": "OSQuery: gatekeeper, gatekeeper_apps, running_apps" + }, + { + "techniqueID": "T1651", + "score": 1, + "comment": "OSQuery: powershell_events, running_apps" + }, + { + "techniqueID": "T1134", + "score": 1, + "comment": "OSQuery: account_policy_data, authorizations, authorized_keys, background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps, shadow, user_ssh_keys" + }, + { + "techniqueID": "T1136", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1220", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1124", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1216", + "score": 1, + "comment": "OSQuery: powershell_events, running_apps" + }, + { + "techniqueID": "T1127", + "score": 1, + "comment": "OSQuery: running_apps" + }, + { + "techniqueID": "T1620", + "score": 1, + "comment": "OSQuery: powershell_events" + }, + { + "techniqueID": "T1538", + "score": 1, + "comment": "OSQuery: user_events" + } + ], + "gradient": { + "colors": [ + "#ff6666", + "#ffe766ff", + "#8ec843" + ], + "minValue": 0, + "maxValue": 1 + } +} \ No newline at end of file diff --git a/mappings/stix/layers/enterprise/Sysmon-heatmap.json b/mappings/stix/layers/enterprise/Sysmon-heatmap.json new file mode 100644 index 0000000..6f939e2 --- /dev/null +++ b/mappings/stix/layers/enterprise/Sysmon-heatmap.json @@ -0,0 +1,687 @@ +{ + "name": "Sysmon", + "versions": { + "navigator": "4.8.2", + "layer": "4.4", + "attack": "13" + }, + "sorting": 0, + "description": "", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1543", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1561", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1547", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1562", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1068", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1056", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1111", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1033", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1003", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1539", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1114", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1025", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1119", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1091", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1005", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1558", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1555", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1567", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1552", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1011", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1217", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1087", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1020", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1074", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1649", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1041", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1048", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1039", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1187", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1018", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1052", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1037", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1564", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1080", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1137", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1053", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1176", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1218", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1560", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1491", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1204", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1554", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1566", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1565", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1574", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1027", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1546", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1486", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1570", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1496", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1505", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1189", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1105", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1556", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1070", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1485", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1490", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1014", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1600", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1489", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1140", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1036", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1055", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1548", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1647", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1098", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1601", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1553", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1569", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1129", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1106", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1620", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1021", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1059", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1559", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1220", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1047", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1602", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1133", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1219", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1205", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1029", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1572", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1090", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1568", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1542", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1612", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1102", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1104", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1030", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1197", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1221", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1008", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1185", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1069", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1615", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1652", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1007", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1040", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1135", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1120", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1082", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1202", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1611", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1010", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1112", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1563", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1222", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1016", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1482", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1609", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1083", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1049", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1497", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1480", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1057", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1072", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1212", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1201", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1203", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1012", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1614", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1651", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1134", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1136", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1518", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1622", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1124", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1216", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1211", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1127", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1529", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1557", + "score": 1, + "comment": "Sysmon: " + } + ], + "gradient": { + "colors": [ + "#ff6666", + "#ffe766ff", + "#8ec843" + ], + "minValue": 0, + "maxValue": 1 + } +} \ No newline at end of file diff --git a/mappings/stix/layers/enterprise/WinEvtx-heatmap.json b/mappings/stix/layers/enterprise/WinEvtx-heatmap.json new file mode 100644 index 0000000..bcc84d8 --- /dev/null +++ b/mappings/stix/layers/enterprise/WinEvtx-heatmap.json @@ -0,0 +1,792 @@ +{ + "name": "WinEvtx", + "versions": { + "navigator": "4.8.2", + "layer": "4.4", + "attack": "13" + }, + "sorting": 0, + "description": "", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1558", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1550", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1649", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1033", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1003", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1615", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1207", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1484", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1037", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1222", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1098", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1531", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1134", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1556", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1047", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1113", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1006", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1123", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1543", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1069", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1114", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1561", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1025", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1547", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1489", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1652", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1564", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1137", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1119", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1115", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1007", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1040", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1135", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1120", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1082", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1053", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1176", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1202", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1005", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1562", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1555", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1567", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1036", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1552", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1218", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1010", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1011", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1560", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1021", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1112", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1563", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1217", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1548", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1125", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1016", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1087", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1059", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1482", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1020", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1070", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1609", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1083", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1647", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1074", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1049", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1542", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1497", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1480", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1204", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1057", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1041", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1048", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1110", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1039", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1574", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1027", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1201", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1546", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1486", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1553", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1570", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1012", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1614", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1197", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1496", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1569", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1485", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1651", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1136", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1018", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1046", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1518", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1622", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1052", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1124", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1490", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1216", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1127", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1529", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1091", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1092", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1200", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1014", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1539", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1187", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1080", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1491", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1554", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1566", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1565", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1505", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1189", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1105", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1195", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1055", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1600", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1140", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1601", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1056", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1499", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1498", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1185", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1606", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1621", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1199", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1078", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1213", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1538", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1133", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1602", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1219", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1205", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1029", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1572", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1090", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1568", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1612", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1102", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1104", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1030", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1221", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1008", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1559", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1611", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1072", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1212", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1068", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1203", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1220", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1211", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1620", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1557", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1528", + "score": 1, + "comment": "WinEvtx: " + }, + { + "techniqueID": "T1111", + "score": 1, + "comment": "WinEvtx: " + } + ], + "gradient": { + "colors": [ + "#ff6666", + "#ffe766ff", + "#8ec843" + ], + "minValue": 0, + "maxValue": 1 + } +} \ No newline at end of file diff --git a/mappings/stix/layers/enterprise/Zeek-heatmap.json b/mappings/stix/layers/enterprise/Zeek-heatmap.json new file mode 100644 index 0000000..d313872 --- /dev/null +++ b/mappings/stix/layers/enterprise/Zeek-heatmap.json @@ -0,0 +1,357 @@ +{ + "name": "Zeek", + "versions": { + "navigator": "4.8.2", + "layer": "4.4", + "attack": "13" + }, + "sorting": 0, + "description": "", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1047", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1602", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1133", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1114", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1176", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1567", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1219", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1205", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1218", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1029", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1572", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1011", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1021", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1090", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1020", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1568", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1542", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1612", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1102", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1104", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1204", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1041", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1048", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1039", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1030", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1197", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1496", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1189", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1221", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1018", + "score": 1, + "comment": "Zeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1105", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1008", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1557", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1033", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1003", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1615", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1071", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1190", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1589", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1207", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1491", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1563", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1595", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1482", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1070", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1586", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1210", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1534", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1199", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1566", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1565", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1001", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1571", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1187", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1599", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1573", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1570", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1095", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1499", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1132", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1598", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1585", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1505", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1537", + "score": 1, + "comment": "Zeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1200", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1498", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1046", + "score": 1, + "comment": "Zeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" + } + ], + "gradient": { + "colors": [ + "#ff6666", + "#ffe766ff", + "#8ec843" + ], + "minValue": 0, + "maxValue": 1 + } +} \ No newline at end of file diff --git a/mappings/stix/layers/enterprise/sensor-comparison-heatmap.json b/mappings/stix/layers/enterprise/sensor-comparison-heatmap.json new file mode 100644 index 0000000..c86d234 --- /dev/null +++ b/mappings/stix/layers/enterprise/sensor-comparison-heatmap.json @@ -0,0 +1,917 @@ +{ + "name": "Sensor Comparisons", + "versions": { + "navigator": "4.8.2", + "layer": "4.4", + "attack": "13" + }, + "sorting": 0, + "description": "", + "domain": "enterprise-attack", + "techniques": [ + { + "techniqueID": "T1047", + "score": 5, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1113", + "score": 2, + "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + }, + { + "techniqueID": "T1037", + "score": 5, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1033", + "score": 6, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG\n\nCloudTrail: GetOpenIDConnectProvider\n\nOSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1003", + "score": 6, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, TTY, USER_AVC, USER_CMD, USYS_CONFIG\n\nCloudTrail: GetOpenIDConnectProvider\n\nOSQuery: appcompat_shims, augeas, autoexec, managed_policies, office_mru, plist, registry, running_apps, socket_events, startup_items, userassist\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1006", + "score": 3, + "comment": "Auditd: USYS_CONFIG\n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives\n\nWinEvtx: " + }, + { + "techniqueID": "T1123", + "score": 2, + "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + }, + { + "techniqueID": "T1543", + "score": 4, + "comment": "Auditd: ANOM_PROMISCUOUS, CONFIG_CHANGE, DAEMON_CONFIG, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_CIPSOV4_ADD, MAC_CIPSOV4_DEL, MAC_CONFIG_CHANGE, MAC_MAP_ADD, MAC_MAP_DEL, MAC_POLICY_LOAD, MAC_STATUS, ROLE_ASSIGN, ROLE_REMOVE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1069", + "score": 5, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nCloudTrail: DeleteGroupPolicy, DetachGroupPolicy, GetContextKeysForPrincipalPolicy, GetGroupPolicy, ListAttachedGroupPolicies, ListEntitiesForPolicy, ListGroupPolicies, ListGroups, ListGroupsForUser, ListPoliciesGrantingServiceAccess, PutGroupPolicy\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, groups, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_groups\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1114", + "score": 6, + "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1561", + "score": 4, + "comment": "Auditd: FS_RELABEL, USER_CMD, USYS_CONFIG\n\nOSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, running_apps, time_machine_backups\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1615", + "score": 6, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG\n\nCloudTrail: GetOpenIDConnectProvider\n\nOSQuery: managed_policies, powershell_events, running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1025", + "score": 4, + "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1547", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: authorization_mechanisms, fbsd_kmods, file_events, kernel_modules, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1489", + "score": 4, + "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG\n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1652", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1564", + "score": 5, + "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, CRED_ACQ, CRED_DISP, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CHAUTHTOK, USER_CMD, USER_ERR, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nCloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, CreateUser, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole\n\nOSQuery: account_policy_data, authenticode, authorizations, authorized_keys, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, safari_extensions, shadow, shimcache, signature, suid_bin, user_ssh_keys\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1137", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1119", + "score": 4, + "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, powershell_events\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1115", + "score": 2, + "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + }, + { + "techniqueID": "T1007", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1040", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1135", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1120", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1082", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1053", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1176", + "score": 5, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1202", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1005", + "score": 4, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1562", + "score": 5, + "comment": "Auditd: ANOM_ABEND, DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, NETFILTER_CFG, SELINUX_ERR, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USER_TTY, USYS_CONFIG\n\nCloudTrail: SetSecurityTokenPreferences, StopLogging, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: alf_exceptions, app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, gatekeeper, gatekeeper_apps, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, powershell_events, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1558", + "score": 4, + "comment": "Auditd: ANOM_LINK, CRYPTO_KEY_USER, LOGIN, USER_AVC, USER_END, USER_LOGOUT, USYS_CONFIG\n\nOSQuery: augeas, last, logged_in_users, logon_sessions, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1555", + "score": 4, + "comment": "Auditd: ANOM_LINK, TTY, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1567", + "score": 5, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1036", + "score": 4, + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, SELINUX_ERR, USER_LABELED_EXPORT, USER_TTY, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, background_activities_moderator, crontab, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, gatekeeper, gatekeeper_apps, launchd, launchd_overrides, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, sandboxes, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1552", + "score": 5, + "comment": "Auditd: ANOM_LINK, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_AVC, USER_CMD, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, running_apps, safari_extensions, startup_items, user_events, userassist\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1218", + "score": 5, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1010", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1011", + "score": 5, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1560", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1021", + "score": 6, + "comment": "Auditd: CRYPTO_SESSION, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1112", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1563", + "score": 6, + "comment": "Auditd: CRYPTO_SESSION, MAC_UNLBL_ALLOW, USER_CMD, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: ConsoleLogin\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1217", + "score": 4, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1222", + "score": 5, + "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1548", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1125", + "score": 2, + "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: " + }, + { + "techniqueID": "T1016", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1087", + "score": 4, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1059", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: background_activities_moderator, package_receipts, powershell_events, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1482", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1020", + "score": 5, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, powershell_events, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1070", + "score": 6, + "comment": "Auditd: ANOM_DEL_ACCOUNT, ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, DEL_USER, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, NETFILTER_CFG, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_CMD, USER_LABELED_EXPORT, USER_ROLE_CHANGE, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteUser, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: alf_exceptions, authenticode, browser_plugins, chrome_extension_content_scripts, chrome_extensions, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, firefox_addons, homebrew_packages, ie_extensions, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, opera_extensions, package_bom, process_file_events, quicklook_cache, running_apps, safari_extensions, shimcache, signature, socket_events, suid_bin, user_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1609", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1083", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1647", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1074", + "score": 4, + "comment": "Auditd: ANOM_LINK, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, file_events, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1649", + "score": 5, + "comment": "Auditd: ANOM_LINK, CRYPTO_SESSION, USER_AVC, USER_LOGIN, USER_START, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: appcompat_shims, augeas, autoexec, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, registry, safari_extensions, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1049", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1542", + "score": 5, + "comment": "Auditd: FS_RELABEL, USYS_CONFIG\n\nOSQuery: bitlocker_info, drivers, iokit_devicetree, iokit_registry, time_machine_backups\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1497", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1480", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1204", + "score": 6, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USYS_CONFIG\n\nCloudTrail: CreateImage, RunInstances, StartInstances\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1057", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1041", + "score": 5, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1098", + "score": 5, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, AddUserToGroup, AttachGroupPolicy, RemoveClientIDFromOpenIDConnectProvider, RemoveUserFromGroup, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateGroup, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1048", + "score": 5, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, office_mru, opera_extensions, plist, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1110", + "score": 4, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USYS_CONFIG\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " + }, + { + "techniqueID": "T1039", + "score": 5, + "comment": "Auditd: ANOM_LINK, MAC_UNLBL_ALLOW, USER_AVC, USYS_CONFIG\n\nOSQuery: augeas, mounts, nfs_shares, office_mru, plist, shared_folders, sharing_preferences, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1574", + "score": 4, + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG\n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1027", + "score": 4, + "comment": "Auditd: USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, powershell_events, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1201", + "score": 5, + "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG\n\nCloudTrail: AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagPolicy, TagRole, Untag Policy, UntagRole, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateRole\n\nOSQuery: account_policy_data, authorizations, authorized_keys, running_apps, shadow, user_ssh_keys\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1546", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin, wmi_cli_event_consumers, wmi_script_event_consumers\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1486", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1553", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1570", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT, USYS_CONFIG\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, mounts, nfs_shares, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, running_apps, shared_folders, sharing_preferences, shimcache, signature, socket_events, suid_bin\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1012", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: appcompat_shims, autoexec, registry, running_apps, startup_items, userassist\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1614", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1197", + "score": 5, + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CMD, USER_TTY, USYS_CONFIG\n\nOSQuery: gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1496", + "score": 5, + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, file_events, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1569", + "score": 4, + "comment": "Auditd: DAEMON_START, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_POLICY_LOAD, USER_CMD, USYS_CONFIG\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1485", + "score": 5, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_CMD, USYS_CONFIG\n\nCloudTrail: DeleteSnapshot\n\nOSQuery: file_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1651", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1134", + "score": 5, + "comment": "Auditd: CRED_ACQ, CRED_DISP, USER_CHAUTHTOK, USER_CMD, USER_ERR, USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, AttachRolePolicy, AttachUserPolicy, ChangePassword, CreateAccessKey, CreateAccountAlias, CreateLoginProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateServiceSpecificCredential, DeleteAccessKey, DeleteAccountAlias, DeleteAccountPasswordPolicy, DeleteLoginProfile, DeletePolicyVersion, DeleteRole, DeleteRolePermissionsBoundary, DeleteRolePolicy, DeleteSSHPublicKey, DeleteServiceSpecificCredential, DeleteSigningCertificate, DeleteUserPermissionsBoundary, DeleteUserPolicy, DetachRolePolicy, DetachUserPolicy, GenerateCredentialReport, GetAccountAuthorizationDetails, GetAccountPasswordPolicy, GetContextKeysForCustomPolicy, GetContextKeysForPrincipalPolicy, GetCredentialReport, GetLoginprofile, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListEntitiesForPolicy, ListPoliciesGrantingServiceAccess, ListPolicyTags, ListPolicyVersions, ListRolePolicies, ListRoleTags, ListRoles, PutRolePermissionsBoundary, PutRolePolicy, PutUserPermissionsBoundary, PutUserPolicy, RemoveClientIDFromOpenIDConnectProvider, SetDefaultPolicyVersion, SimulateCustomPolicy, SimulatePrincipalPolicy, TagOpenIDConnectProvider, TagPolicy, TagRole, TagSAMLProvider, Untag Policy, UntagOpenIDConnectProvider, UntagRole, UntagSAMLProvider, UpdateAccountPasswordPolicy, UpdateAssumeRolePolicy, UpdateLoginProfile, UpdateOpenIDConnectProviderThumbprint, UpdateRole, UpdateSAMLProvider\n\nOSQuery: account_policy_data, authorizations, authorized_keys, background_activities_moderator, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps, shadow, user_ssh_keys\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1136", + "score": 5, + "comment": "Auditd: ADD_USER, ANOM_ADD_ACCOUNT, USER_CMD, USER_ROLE_CHANGE, USYS_CONFIG\n\nCloudTrail: CreateUser\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1018", + "score": 5, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, ntlm_authenticate, ntlm_challenge, pop3_login_success, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, socks_login_userpass_reply, socks_login_userpass_request, ssh2_dh_server_params, ssh_auth_successful, ssl_client_hello, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake" + }, + { + "techniqueID": "T1046", + "score": 3, + "comment": "Auditd: USYS_CONFIG\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1518", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: alf, alf_explicit_auths, iptables, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1622", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1052", + "score": 4, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD, USYS_CONFIG\n\nOSQuery: augeas, office_mru, plist, running_apps, usb_devices\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1484", + "score": 3, + "comment": "Auditd: USYS_CONFIG\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, DeleteOpenIDConnectProvider, DeleteSAMLProvider, RemoveClientIDFromOpenIDConnectProvider, TagOpenIDConnectProvider, TagSAMLProvider, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nWinEvtx: " + }, + { + "techniqueID": "T1124", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1490", + "score": 5, + "comment": "Auditd: DAEMON_ABORT, DAEMON_END, DAEMON_RESUME, DAEMON_ROTATE, SELINUX_ERR, USER_CHAUTHTOK, USER_CMD, USER_TTY, USYS_CONFIG\n\nCloudTrail: DeleteSnapshot\n\nOSQuery: file_events, gatekeeper, gatekeeper_apps, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1216", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1127", + "score": 4, + "comment": "Auditd: USER_CMD, USYS_CONFIG\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1529", + "score": 4, + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_CMD, USYS_CONFIG\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, running_apps, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1014", + "score": 4, + "comment": "Auditd: FS_RELABEL, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events, time_machine_backups\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1539", + "score": 4, + "comment": "Auditd: ANOM_LINK, TTY, USER_AVC\n\nOSQuery: augeas, office_mru, plist\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1091", + "score": 4, + "comment": "Auditd: ANOM_LINK, USER_AVC, USER_CMD\n\nOSQuery: augeas, file_events, office_mru, plist, running_apps, usb_devices\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1187", + "score": 5, + "comment": "Auditd: ANOM_LINK, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_AVC\n\nOSQuery: augeas, file_events, office_mru, plist, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1554", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1565", + "score": 5, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CHAUTHTOK, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, process_file_events, quicklook_cache, shimcache, signature, socket_events, suid_bin\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1195", + "score": 3, + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, authenticode, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, event_taps, extended_attributes, fan_speed_sensors, file, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, magic, mdfind, mdls, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, ntfs_acl_permissions, ntfs_journal_events, os_version, package_bom, patches, portage_keywords, portage_packages, portage_use, preferences, process_file_events, programs, python_packages, quicklook_cache, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, shimcache, signature, sip_config, sudoers, suid_bin, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: " + }, + { + "techniqueID": "T1055", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, TTY, USER_LABELED_EXPORT, USER_UNLABELED_EXPORT\n\nOSQuery: authenticode, background_activities_moderator, device_hash, elf_dynamic, elf_info, elf_sections, elf_segments, elf_symbols, extended_attributes, file, file_events, magic, mdfind, mdls, ntfs_acl_permissions, ntfs_journal_events, package_bom, package_receipts, process_envs, process_events, process_file_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, quicklook_cache, shimcache, signature, suid_bin\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1600", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1080", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, mounts, nfs_shares, running_apps, shared_folders, sharing_preferences\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1140", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: file_events, powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1491", + "score": 5, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1601", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE\n\nOSQuery: file_events\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1056", + "score": 4, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, USER_CMD\n\nOSQuery: background_activities_moderator, file_events, package_receipts, process_envs, process_events, process_memory_map, process_namespaces, process_open_files, process_open_pipes, process_open_sockets, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1505", + "score": 5, + "comment": "Auditd: LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1556", + "score": 5, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, LABEL_LEVEL_CHANGE, LABEL_OVERRIDE, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, TTY, USER_ACCT, USER_AUTH, USER_CHAUTHTOK, USER_LOGIN, USER_ROLE_CHANGE, USER_START\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, SetSecurityTokenPreferences, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1499", + "score": 4, + "comment": "Auditd: MAC_UNLBL_ALLOW, SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, browser_plugins, chassis_info, chrome_extension_content_scripts, chrome_extensions, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, firefox_addons, hardware_events, homebrew_packages, hvci_status, ibridge_info, ie_extensions, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, opera_extensions, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, safari_extensions, selinux_events, selinux_settings, shared_resources, sip_config, socket_events, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1498", + "score": 4, + "comment": "Auditd: SYSTEM_RUNLEVEL, SYSTEM_SHUTDOWN\n\nOSQuery: app_schemes, apparmor_events, apparmor_profiles, apps, apt_sources, asl, battery, block_devices, chassis_info, connectivity, cpu_info, cpu_time, cpuid, crashes, cups_destinations, cups_jobs, deb_packages, default_environment, device_firmware, event_taps, fan_speed_sensors, hardware_events, hvci_status, ibridge_info, intel_me_info, kernel_panics, keychain_acls, keychain_items, memory_error_info, memory_info, memory_map, npm_packages, ntdomains, os_version, patches, portage_keywords, portage_packages, portage_use, preferences, programs, python_packages, rpm_package_files, rpm_packages, selinux_events, selinux_settings, shared_resources, sip_config, sudoers, syslog_events, system_controls, system_info, ulimit_info, video_info, winbaseobj, windows_crashes, windows_optional_features, windows_security_center, windows_security_products, xprotect_entries, xprotect_meta, xprotect_reports\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1550", + "score": 4, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " + }, + { + "techniqueID": "T1185", + "score": 4, + "comment": "Auditd: CRYPTO_SESSION, TTY, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1606", + "score": 3, + "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nWinEvtx: " + }, + { + "techniqueID": "T1621", + "score": 4, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, user_events\n\nWinEvtx: " + }, + { + "techniqueID": "T1199", + "score": 5, + "comment": "Auditd: CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events\n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1078", + "score": 4, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_KEY_USER, CRYPTO_SESSION, LOGIN, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_END, USER_LOGIN, USER_LOGOUT, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: last, logged_in_users, logon_sessions, user_events\n\nWinEvtx: " + }, + { + "techniqueID": "T1213", + "score": 4, + "comment": "Auditd: CRYPTO_SESSION, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions\n\nWinEvtx: " + }, + { + "techniqueID": "T1538", + "score": 4, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, CRYPTO_SESSION, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_LOGIN, USER_START\n\nCloudTrail: ConsoleLogin, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: user_events\n\nWinEvtx: " + }, + { + "techniqueID": "T1133", + "score": 5, + "comment": "Auditd: CRYPTO_KEY_USER, LOGIN, MAC_UNLBL_ALLOW, USER_END, USER_LOGOUT\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, last, logged_in_users, logon_sessions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1557", + "score": 5, + "comment": "Auditd: DAEMON_START, MAC_POLICY_LOAD, MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1602", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1071", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1190", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1219", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1205", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1572", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1589", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1207", + "score": 5, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, MAC_UNLBL_ALLOW, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, CreateOpenIDConnectProvider, CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, RemoveClientIDFromOpenIDConnectProvider, ResyncMFADevice, TagMFADevice, TagOpenIDConnectProvider, TagSAMLProvider, UntagMFADevice, UntagOpenIDConnectProvider, UntagSAMLProvider, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider\n\nOSQuery: socket_events, user_events\n\nWinEvtx: \n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1595", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1090", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1568", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1612", + "score": 6, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nCloudTrail: CreateImage\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1586", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1102", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1210", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1534", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1566", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1001", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1571", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1599", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1573", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1095", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1132", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1598", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, socket_events\n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_reply, socks_request, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1585", + "score": 3, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1537", + "score": 4, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nCloudTrail: CreateSnapshot, ModifySnapshotAttribute\n\nOSQuery: socket_events\n\nZeek: http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, ssh1_server_host_key, ssh2_ecc_key, ssh2_server_host_key, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_server_signature, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1189", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, file_events, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1221", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW, USER_CMD\n\nOSQuery: running_apps, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: connection_SYN_packet, connection_established, connection_first_ack, http_content_type, http_entity_data, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, mime_all_data, mime_content_hash, mime_entity_data, mount_reply_status, netbios_session_raw_message, ntlm_authenticate, ntlm_challenge, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_login_success, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_server_certificate, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, sip_all_headers, smb2_close_request, smb2_create_request, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, snmp_encrypted_pdu, snmp_get_request, snmp_report, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_successful, ssh_capabilities, ssh_encrypted_packet, ssl_alert, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, udp_contents" + }, + { + "techniqueID": "T1105", + "score": 5, + "comment": "Auditd: MAC_UNLBL_ALLOW\n\nOSQuery: file_events, socket_events\n\nSysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_content_type, http_entity_data, http_reply, http_request, icmp_echo_reply, icmp_echo_request, icmp_neighbor_advertisement, icmp_neighbor_solicitation, icmp_unreachable, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_data, mime_all_headers, mime_content_hash, mime_entity_data, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, mount_reply_status, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_raw_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pm_request_callit, pm_request_dump, pm_request_getport, pm_request_null, pm_request_set, pm_request_unset, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_client_cluster_data, rdp_client_core_data, rdp_client_network_data, rdp_client_security_data, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_certificate, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_all_headers, sip_reply, sip_request, smb2_close_request, smb2_close_response, smb2_create_request, smb2_create_response, smb2_file_allocation, smb2_file_endoffile, smb2_file_fscontrol, smb2_file_fsobjectid, smb2_file_fullea, smb2_file_link, smb2_file_mode, smb2_file_pipe, smb2_file_position, smb2_file_rename, smb2_file_sattr, smb2_file_shortname, smb2_file_validdatalength, smb2_negotiate_request, smb2_negotiate_response, smb2_read_request, smb2_session_setup_request, smb2_session_setup_response, smb2_transform_header, smb2_tree_connect_request, smb2_tree_connect_response, smb2_tree_disconnect_request, smb2_tree_disconnect_response, smb2_write_request, smb2_write_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_encrypted_pdu, snmp_get_bulk_request, snmp_get_next_request, snmp_get_request, snmp_inform_request, snmp_report, snmp_response, snmp_set_request, snmp_trap, snmp_trapv2, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh1_server_host_key, ssh2_dh_server_params, ssh2_ecc_key, ssh2_server_host_key, ssh_auth_attempted, ssh_auth_successful, ssh_capabilities, ssh_client_version, ssh_encrypted_packet, ssh_server_version, ssl_alert, ssl_change_cipher_spec, ssl_client_hello, ssl_dh_client_params, ssl_dh_server_params, ssl_ecdh_client_params, ssl_ecdh_server_params, ssl_encrypted_data, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_server_signature, ssl_session_ticket_handshake, tcp_contents, tcp_options, tcp_packet, tcp_rexmit, udp_contents, udp_reply, udp_request" + }, + { + "techniqueID": "T1559", + "score": 4, + "comment": "Auditd: TTY, USER_CMD\n\nOSQuery: powershell_events, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1611", + "score": 5, + "comment": "Auditd: USER_CMD\n\nCloudTrail: DetachVolume, ModifyVolume\n\nOSQuery: authorization_mechanisms, fbsd_kmods, kernel_modules, running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1072", + "score": 4, + "comment": "Auditd: USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1212", + "score": 5, + "comment": "Auditd: ANOM_LOGIN_FAILURES, ANOM_LOGIN_LOCATION, ANOM_LOGIN_SESSIONS, ANOM_LOGIN_TIME, RESP_ACCT_LOCK, RESP_ACCT_UNLOCK_TIMED, USER_ACCT, USER_AUTH, USER_CMD\n\nCloudTrail: CreateVirtualMFADevice, DeactivateMFADevice, DeleteVirtualMFADevice, EnableMFADevice, GetMFADevice, ListMFADeviceTags, ListMFADevices, ListVirtualMFADevices, ResyncMFADevice, TagMFADevice, UntagMFADevice\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions, user_events\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1068", + "score": 4, + "comment": "Auditd: USER_CMD\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1203", + "score": 4, + "comment": "Auditd: USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1220", + "score": 4, + "comment": "Auditd: USER_CMD\n\nOSQuery: running_apps\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1211", + "score": 4, + "comment": "Auditd: USER_CMD\n\nOSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, running_apps, safari_extensions\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1531", + "score": 3, + "comment": "Auditd: ANOM_DEL_ACCOUNT, DEL_USER, USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: AddClientIDToOpenIDConnectProvider, DeleteUser, RemoveClientIDFromOpenIDConnectProvider, SetSecurityTokenPreferences, TagOpenIDConnectProvider, TagSAMLProvider, TagUser, UntagOpenIDConnectProvider, UntagSAMLProvider, UntagUser, UpdateAccessKey, UpdateOpenIDConnectProviderThumbprint, UpdateSAMLProvider, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: " + }, + { + "techniqueID": "T1528", + "score": 3, + "comment": "Auditd: USER_CHAUTHTOK, USER_ROLE_CHANGE\n\nCloudTrail: SetSecurityTokenPreferences, TagUser, UntagUser, UpdateAccessKey, UpdateSSHPublicKey, UpdateServiceSpecificCredential, UpdateSigningCertificate, UpdateUser, UploadSSHPublicKey, UploadServerCertificate, UploadSigningCertificate\n\nWinEvtx: " + }, + { + "techniqueID": "T1525", + "score": 2, + "comment": "CloudTrail: CreateImage, ModifyImageAttribute\n\nOSQuery: sandboxes" + }, + { + "techniqueID": "T1578", + "score": 1, + "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, CreateSnapshot, CreateVolume, DeleteInstanceProfile, DeleteSnapshot, DetachVolume, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, ModifySnapshotAttribute, ModifyVolume, RemoveRoleFromInstanceProfile, RunInstances, StartInstances, StopInstances, TagInstanceProfile, UntagInstanceProfile" + }, + { + "techniqueID": "T1535", + "score": 1, + "comment": "CloudTrail: AddRoleToInstanceProfile, CreateInstanceProfile, DeleteInstanceProfile, GetInstanceProfile, ListInstanceProfileTags, ListInstanceProfiles, ListInstanceProfilesForRole, RemoveRoleFromInstanceProfile, TagInstanceProfile, UntagInstanceProfile" + }, + { + "techniqueID": "T1594", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions" + }, + { + "techniqueID": "T1610", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions" + }, + { + "techniqueID": "T1200", + "score": 3, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions, usb_devices\n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_attempt, connection_eof, connection_finished, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_reply, socks_request, ssh_auth_attempted, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_extension, ssl_handshake_message, ssl_heartbeat, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1648", + "score": 1, + "comment": "OSQuery: browser_plugins, chrome_extension_content_scripts, chrome_extensions, firefox_addons, homebrew_packages, ie_extensions, opera_extensions, safari_extensions" + }, + { + "techniqueID": "T1588", + "score": 1, + "comment": "OSQuery: certificates" + }, + { + "techniqueID": "T1092", + "score": 2, + "comment": "OSQuery: device_file, device_partitions, disk_encryption, disk_events, disk_info, logical_drives, usb_devices\n\nWinEvtx: " + }, + { + "techniqueID": "T1620", + "score": 3, + "comment": "OSQuery: powershell_events\n\nSysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1111", + "score": 2, + "comment": "Sysmon: \n\nWinEvtx: " + }, + { + "techniqueID": "T1129", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1106", + "score": 1, + "comment": "Sysmon: " + }, + { + "techniqueID": "T1029", + "score": 3, + "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1104", + "score": 3, + "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1030", + "score": 3, + "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + }, + { + "techniqueID": "T1008", + "score": 3, + "comment": "Sysmon: \n\nWinEvtx: \n\nZeek: arp_reply, arp_request, connection_SYN_packet, connection_attempt, connection_eof, connection_established, connection_finished, connection_first_ack, connection_half_finished, connection_partial_close, connection_pending, connection_rejected, connection_reset, dce_rpc_alter_context, dce_rpc_alter_context_resp, dce_rpc_bind, dce_rpc_bind_ack, dce_rpc_reply, dce_rpc_request, dhcp_message, dns_AAAA_reply, dns_A_reply, dns_CAA_reply, dns_CNAME_reply, dns_DNSKEY_reply, dns_DS_reply, dns_EDNS_addl_reply, dns_EDNS_ecs_reply, dns_HINFO_reply, dns_MX_reply, dns_NSEC_reply, dns_NS_reply, dns_PTR_reply, dns_RRSIG_reply, dns_SOA_reply, dns_SPF_reply, dns_SRV_reply, dns_TSIG_reply, dns_TXT_reply, dns_WKS_reply, dns_a6_reply, dns_request, dns_unknown_reply, ftp_reply, ftp_request, http_all_headers, http_reply, http_request, icmp_echo_reply, icmp_echo_request, imap_capabilities, imap_start_tls, krb_ap_request, krb_ap_response, krb_as_request, krb_as_response, krb_tgs_request, krb_tgs_response, mime_all_headers, mount_proc_mnt, mount_proc_not_implemented, mount_proc_null, mount_proc_umnt, mount_proc_umnt_all, netbios_session_accepted, netbios_session_keepalive, netbios_session_message, netbios_session_rejected, netbios_session_request, netbios_session_ret_arg_resp, nfs_proc_create, nfs_proc_getattr, nfs_proc_link, nfs_proc_lookup, nfs_proc_mkdir, nfs_proc_read, nfs_proc_readdir, nfs_proc_readlink, nfs_proc_remove, nfs_proc_rename, nfs_proc_rmdir, nfs_proc_sattr, nfs_proc_symlink, nfs_proc_write, nfs_reply_status, ntlm_authenticate, ntlm_challenge, ntlm_negotiate, ntp_message, partial_connection, pm_attempt_callit, pm_attempt_dump, pm_attempt_getport, pm_attempt_null, pm_attempt_set, pm_attempt_unset, pm_bad_port, pop3_data, pop3_login_failure, pop3_login_success, pop3_reply, pop3_request, pop3_starttls, rdp_begin_encryption, rdp_connect_request, rdp_gcc_server_create_response, rdp_native_encrypted_data, rdp_negotiation_failure, rdp_negotiation_response, rdp_server_security, rdpeudp_data, rdpeudp_established, rdpeudp_syn, rdpeudp_synack, rpc_call, rpc_dialogue, rpc_reply, sip_reply, sip_request, smb2_close_response, smb2_create_response, smtp_data, smtp_reply, smtp_request, smtp_starttls, snmp_get_bulk_request, snmp_get_next_request, snmp_inform_request, snmp_response, socks_login_userpass_reply, socks_login_userpass_request, socks_reply, socks_request, ssh2_dh_server_params, ssh_auth_attempted, ssh_auth_successful, ssh_client_version, ssh_server_version, ssl_change_cipher_spec, ssl_client_hello, ssl_established, ssl_extension, ssl_handshake_message, ssl_heartbeat, ssl_rsa_client_pms, ssl_server_hello, ssl_session_ticket_handshake, tcp_rexmit, udp_reply, udp_request" + } + ], + "gradient": { + "colors": [ + "#ff6666", + "#ffe766ff", + "#8ec843" + ], + "minValue": 1, + "maxValue": 6 + } +} \ No newline at end of file diff --git a/poetry.lock b/poetry.lock index 0a8d7d4..98f2a2f 100644 --- a/poetry.lock +++ b/poetry.lock @@ -11,6 +11,16 @@ files = [ {file = "alabaster-0.7.13.tar.gz", hash = "sha256:a27a4a084d5e690e16e01e03ad2b2e552c61a65469419b907243193de1a84ae2"}, ] +[[package]] +name = "antlr4-python3-runtime" +version = "4.9.3" +description = "ANTLR 4.9.3 runtime for Python 3.7" +optional = false +python-versions = "*" +files = [ + {file = "antlr4-python3-runtime-4.9.3.tar.gz", hash = "sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b"}, +] + [[package]] name = "babel" version = "2.12.1" @@ -313,6 +323,77 @@ files = [ {file = "MarkupSafe-2.1.3.tar.gz", hash = "sha256:af598ed32d6ae86f1b747b82783958b1a4ab8f617b06fe68795c7f026abbdcad"}, ] +[[package]] +name = "numpy" +version = "1.24.4" +description = "Fundamental package for array computing in Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "numpy-1.24.4-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:c0bfb52d2169d58c1cdb8cc1f16989101639b34c7d3ce60ed70b19c63eba0b64"}, + {file = "numpy-1.24.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:ed094d4f0c177b1b8e7aa9cba7d6ceed51c0e569a5318ac0ca9a090680a6a1b1"}, + {file = "numpy-1.24.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:79fc682a374c4a8ed08b331bef9c5f582585d1048fa6d80bc6c35bc384eee9b4"}, + {file = "numpy-1.24.4-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7ffe43c74893dbf38c2b0a1f5428760a1a9c98285553c89e12d70a96a7f3a4d6"}, + {file = "numpy-1.24.4-cp310-cp310-win32.whl", hash = "sha256:4c21decb6ea94057331e111a5bed9a79d335658c27ce2adb580fb4d54f2ad9bc"}, + {file = "numpy-1.24.4-cp310-cp310-win_amd64.whl", hash = "sha256:b4bea75e47d9586d31e892a7401f76e909712a0fd510f58f5337bea9572c571e"}, + {file = "numpy-1.24.4-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:f136bab9c2cfd8da131132c2cf6cc27331dd6fae65f95f69dcd4ae3c3639c810"}, + {file = "numpy-1.24.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:e2926dac25b313635e4d6cf4dc4e51c8c0ebfed60b801c799ffc4c32bf3d1254"}, + {file = "numpy-1.24.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:222e40d0e2548690405b0b3c7b21d1169117391c2e82c378467ef9ab4c8f0da7"}, + {file = "numpy-1.24.4-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7215847ce88a85ce39baf9e89070cb860c98fdddacbaa6c0da3ffb31b3350bd5"}, + {file = "numpy-1.24.4-cp311-cp311-win32.whl", hash = "sha256:4979217d7de511a8d57f4b4b5b2b965f707768440c17cb70fbf254c4b225238d"}, + {file = "numpy-1.24.4-cp311-cp311-win_amd64.whl", hash = "sha256:b7b1fc9864d7d39e28f41d089bfd6353cb5f27ecd9905348c24187a768c79694"}, + {file = "numpy-1.24.4-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1452241c290f3e2a312c137a9999cdbf63f78864d63c79039bda65ee86943f61"}, + {file = "numpy-1.24.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:04640dab83f7c6c85abf9cd729c5b65f1ebd0ccf9de90b270cd61935eef0197f"}, + {file = "numpy-1.24.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a5425b114831d1e77e4b5d812b69d11d962e104095a5b9c3b641a218abcc050e"}, + {file = "numpy-1.24.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dd80e219fd4c71fc3699fc1dadac5dcf4fd882bfc6f7ec53d30fa197b8ee22dc"}, + {file = "numpy-1.24.4-cp38-cp38-win32.whl", hash = "sha256:4602244f345453db537be5314d3983dbf5834a9701b7723ec28923e2889e0bb2"}, + {file = "numpy-1.24.4-cp38-cp38-win_amd64.whl", hash = "sha256:692f2e0f55794943c5bfff12b3f56f99af76f902fc47487bdfe97856de51a706"}, + {file = "numpy-1.24.4-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:2541312fbf09977f3b3ad449c4e5f4bb55d0dbf79226d7724211acc905049400"}, + {file = "numpy-1.24.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:9667575fb6d13c95f1b36aca12c5ee3356bf001b714fc354eb5465ce1609e62f"}, + {file = "numpy-1.24.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f3a86ed21e4f87050382c7bc96571755193c4c1392490744ac73d660e8f564a9"}, + {file = "numpy-1.24.4-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d11efb4dbecbdf22508d55e48d9c8384db795e1b7b51ea735289ff96613ff74d"}, + {file = "numpy-1.24.4-cp39-cp39-win32.whl", hash = "sha256:6620c0acd41dbcb368610bb2f4d83145674040025e5536954782467100aa8835"}, + {file = "numpy-1.24.4-cp39-cp39-win_amd64.whl", hash = "sha256:befe2bf740fd8373cf56149a5c23a0f601e82869598d41f8e188a0e9869926f8"}, + {file = "numpy-1.24.4-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:31f13e25b4e304632a4619d0e0777662c2ffea99fcae2029556b17d8ff958aef"}, + {file = "numpy-1.24.4-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:95f7ac6540e95bc440ad77f56e520da5bf877f87dca58bd095288dce8940532a"}, + {file = "numpy-1.24.4-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:e98f220aa76ca2a977fe435f5b04d7b3470c0a2e6312907b37ba6068f26787f2"}, + {file = "numpy-1.24.4.tar.gz", hash = "sha256:80f5e3a4e498641401868df4208b74581206afbee7cf7b8329daae82676d9463"}, +] + +[[package]] +name = "numpy" +version = "1.25.2" +description = "Fundamental package for array computing in Python" +optional = false +python-versions = ">=3.9" +files = [ + {file = "numpy-1.25.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:db3ccc4e37a6873045580d413fe79b68e47a681af8db2e046f1dacfa11f86eb3"}, + {file = "numpy-1.25.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:90319e4f002795ccfc9050110bbbaa16c944b1c37c0baeea43c5fb881693ae1f"}, + {file = "numpy-1.25.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dfe4a913e29b418d096e696ddd422d8a5d13ffba4ea91f9f60440a3b759b0187"}, + {file = "numpy-1.25.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f08f2e037bba04e707eebf4bc934f1972a315c883a9e0ebfa8a7756eabf9e357"}, + {file = "numpy-1.25.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:bec1e7213c7cb00d67093247f8c4db156fd03075f49876957dca4711306d39c9"}, + {file = "numpy-1.25.2-cp310-cp310-win32.whl", hash = "sha256:7dc869c0c75988e1c693d0e2d5b26034644399dd929bc049db55395b1379e044"}, + {file = "numpy-1.25.2-cp310-cp310-win_amd64.whl", hash = "sha256:834b386f2b8210dca38c71a6e0f4fd6922f7d3fcff935dbe3a570945acb1b545"}, + {file = "numpy-1.25.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c5462d19336db4560041517dbb7759c21d181a67cb01b36ca109b2ae37d32418"}, + {file = "numpy-1.25.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:c5652ea24d33585ea39eb6a6a15dac87a1206a692719ff45d53c5282e66d4a8f"}, + {file = "numpy-1.25.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0d60fbae8e0019865fc4784745814cff1c421df5afee233db6d88ab4f14655a2"}, + {file = "numpy-1.25.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:60e7f0f7f6d0eee8364b9a6304c2845b9c491ac706048c7e8cf47b83123b8dbf"}, + {file = "numpy-1.25.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:bb33d5a1cf360304754913a350edda36d5b8c5331a8237268c48f91253c3a364"}, + {file = "numpy-1.25.2-cp311-cp311-win32.whl", hash = "sha256:5883c06bb92f2e6c8181df7b39971a5fb436288db58b5a1c3967702d4278691d"}, + {file = "numpy-1.25.2-cp311-cp311-win_amd64.whl", hash = "sha256:5c97325a0ba6f9d041feb9390924614b60b99209a71a69c876f71052521d42a4"}, + {file = "numpy-1.25.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:b79e513d7aac42ae918db3ad1341a015488530d0bb2a6abcbdd10a3a829ccfd3"}, + {file = "numpy-1.25.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:eb942bfb6f84df5ce05dbf4b46673ffed0d3da59f13635ea9b926af3deb76926"}, + {file = "numpy-1.25.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3e0746410e73384e70d286f93abf2520035250aad8c5714240b0492a7302fdca"}, + {file = "numpy-1.25.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d7806500e4f5bdd04095e849265e55de20d8cc4b661b038957354327f6d9b295"}, + {file = "numpy-1.25.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:8b77775f4b7df768967a7c8b3567e309f617dd5e99aeb886fa14dc1a0791141f"}, + {file = "numpy-1.25.2-cp39-cp39-win32.whl", hash = "sha256:2792d23d62ec51e50ce4d4b7d73de8f67a2fd3ea710dcbc8563a51a03fb07b01"}, + {file = "numpy-1.25.2-cp39-cp39-win_amd64.whl", hash = "sha256:76b4115d42a7dfc5d485d358728cdd8719be33cc5ec6ec08632a5d6fca2ed380"}, + {file = "numpy-1.25.2-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:1a1329e26f46230bf77b02cc19e900db9b52f398d6722ca853349a782d4cff55"}, + {file = "numpy-1.25.2-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4c3abc71e8b6edba80a01a52e66d83c5d14433cbcd26a40c329ec7ed09f37901"}, + {file = "numpy-1.25.2-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:1b9735c27cea5d995496f46a8b1cd7b408b3f34b6d50459d9ac8fe3a20cc17bf"}, + {file = "numpy-1.25.2.tar.gz", hash = "sha256:fd608e19c8d7c55021dffd43bfe5492fab8cc105cc8986f813f8c3c048b38760"}, +] + [[package]] name = "openpyxl" version = "3.1.2" @@ -338,6 +419,73 @@ files = [ {file = "packaging-23.1.tar.gz", hash = "sha256:a392980d2b6cffa644431898be54b0045151319d1e7ec34f0cfed48767dd334f"}, ] +[[package]] +name = "pandas" +version = "2.0.0" +description = "Powerful data structures for data analysis, time series, and statistics" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pandas-2.0.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:bbb2c5e94d6aa4e632646a3bacd05c2a871c3aa3e85c9bec9be99cb1267279f2"}, + {file = "pandas-2.0.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:b5337c87c4e963f97becb1217965b6b75c6fe5f54c4cf09b9a5ac52fc0bd03d3"}, + {file = "pandas-2.0.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6ded51f7e3dd9b4f8b87f2ceb7bd1a8df2491f7ee72f7074c6927a512607199e"}, + {file = "pandas-2.0.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:52c858de9e9fc422d25e67e1592a6e6135d7bcf9a19fcaf4d0831a0be496bf21"}, + {file = "pandas-2.0.0-cp310-cp310-win32.whl", hash = "sha256:2d1d138848dd71b37e3cbe7cd952ff84e2ab04d8988972166e18567dcc811245"}, + {file = "pandas-2.0.0-cp310-cp310-win_amd64.whl", hash = "sha256:d08e41d96bc4de6f500afe80936c68fce6099d5a434e2af7c7fd8e7c72a3265d"}, + {file = "pandas-2.0.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:24472cfc7ced511ac90608728b88312be56edc8f19b9ed885a7d2e47ffaf69c0"}, + {file = "pandas-2.0.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4ffb14f50c74ee541610668137830bb93e9dfa319b1bef2cedf2814cd5ac9c70"}, + {file = "pandas-2.0.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c24c7d12d033a372a9daf9ff2c80f8b0af6f98d14664dbb0a4f6a029094928a7"}, + {file = "pandas-2.0.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8318de0f886e4dcb8f9f36e45a3d6a6c3d1cfdc508354da85e739090f0222991"}, + {file = "pandas-2.0.0-cp311-cp311-win32.whl", hash = "sha256:57c34b79c13249505e850d0377b722961b99140f81dafbe6f19ef10239f6284a"}, + {file = "pandas-2.0.0-cp311-cp311-win_amd64.whl", hash = "sha256:8f987ec26e96a8490909bc5d98c514147236e49830cba7df8690f6087c12bbae"}, + {file = "pandas-2.0.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:b3ba8f5dd470d8bfbc4259829589f4a32881151c49e36384d9eb982b35a12020"}, + {file = "pandas-2.0.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:fcd471c9d9f60926ab2f15c6c29164112f458acb42280365fbefa542d0c2fc74"}, + {file = "pandas-2.0.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9253edfd015520ce77a9343eb7097429479c039cd3ebe81d7810ea11b4b24695"}, + {file = "pandas-2.0.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:977326039bd1ded620001a1889e2ed4798460a6bc5a24fbaebb5f07a41c32a55"}, + {file = "pandas-2.0.0-cp38-cp38-win32.whl", hash = "sha256:78425ca12314b23356c28b16765639db10ebb7d8983f705d6759ff7fe41357fa"}, + {file = "pandas-2.0.0-cp38-cp38-win_amd64.whl", hash = "sha256:d93b7fcfd9f3328072b250d6d001dcfeec5d3bb66c1b9c8941e109a46c0c01a8"}, + {file = "pandas-2.0.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:425705cee8be54db2504e8dd2a730684790b15e5904b750c367611ede49098ab"}, + {file = "pandas-2.0.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:a4f789b7c012a608c08cda4ff0872fd979cb18907a37982abe884e6f529b8793"}, + {file = "pandas-2.0.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3bb9d840bf15656805f6a3d87eea9dcb7efdf1314a82adcf7f00b820427c5570"}, + {file = "pandas-2.0.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0778ab54c8f399d83d98ffb674d11ec716449956bc6f6821891ab835848687f2"}, + {file = "pandas-2.0.0-cp39-cp39-win32.whl", hash = "sha256:70db5c278bbec0306d32bf78751ff56b9594c05a5098386f6c8a563659124f91"}, + {file = "pandas-2.0.0-cp39-cp39-win_amd64.whl", hash = "sha256:4f3320bb55f34af4193020158ef8118ee0fb9aec7cc47d2084dbfdd868a0a24f"}, + {file = "pandas-2.0.0.tar.gz", hash = "sha256:cda9789e61b44463c1c4fe17ef755de77bcd13b09ba31c940d20f193d63a5dc8"}, +] + +[package.dependencies] +numpy = [ + {version = ">=1.20.3", markers = "python_version < \"3.10\""}, + {version = ">=1.21.0", markers = "python_version >= \"3.10\""}, + {version = ">=1.23.2", markers = "python_version >= \"3.11\""}, +] +python-dateutil = ">=2.8.2" +pytz = ">=2020.1" +tzdata = ">=2022.1" + +[package.extras] +all = ["PyQt5 (>=5.15.1)", "SQLAlchemy (>=1.4.16)", "beautifulsoup4 (>=4.9.3)", "bottleneck (>=1.3.2)", "brotlipy (>=0.7.0)", "fastparquet (>=0.6.3)", "fsspec (>=2021.07.0)", "gcsfs (>=2021.07.0)", "html5lib (>=1.1)", "hypothesis (>=6.34.2)", "jinja2 (>=3.0.0)", "lxml (>=4.6.3)", "matplotlib (>=3.6.1)", "numba (>=0.53.1)", "numexpr (>=2.7.3)", "odfpy (>=1.4.1)", "openpyxl (>=3.0.7)", "pandas-gbq (>=0.15.0)", "psycopg2 (>=2.8.6)", "pyarrow (>=7.0.0)", "pymysql (>=1.0.2)", "pyreadstat (>=1.1.2)", "pytest (>=7.0.0)", "pytest-asyncio (>=0.17.0)", "pytest-xdist (>=2.2.0)", "python-snappy (>=0.6.0)", "pyxlsb (>=1.0.8)", "qtpy (>=2.2.0)", "s3fs (>=2021.08.0)", "scipy (>=1.7.1)", "tables (>=3.6.1)", "tabulate (>=0.8.9)", "xarray (>=0.21.0)", "xlrd (>=2.0.1)", "xlsxwriter (>=1.4.3)", "zstandard (>=0.15.2)"] +aws = ["s3fs (>=2021.08.0)"] +clipboard = ["PyQt5 (>=5.15.1)", "qtpy (>=2.2.0)"] +compression = ["brotlipy (>=0.7.0)", "python-snappy (>=0.6.0)", "zstandard (>=0.15.2)"] +computation = ["scipy (>=1.7.1)", "xarray (>=0.21.0)"] +excel = ["odfpy (>=1.4.1)", "openpyxl (>=3.0.7)", "pyxlsb (>=1.0.8)", "xlrd (>=2.0.1)", "xlsxwriter (>=1.4.3)"] +feather = ["pyarrow (>=7.0.0)"] +fss = ["fsspec (>=2021.07.0)"] +gcp = ["gcsfs (>=2021.07.0)", "pandas-gbq (>=0.15.0)"] +hdf5 = ["tables (>=3.6.1)"] +html = ["beautifulsoup4 (>=4.9.3)", "html5lib (>=1.1)", "lxml (>=4.6.3)"] +mysql = ["SQLAlchemy (>=1.4.16)", "pymysql (>=1.0.2)"] +output-formatting = ["jinja2 (>=3.0.0)", "tabulate (>=0.8.9)"] +parquet = ["pyarrow (>=7.0.0)"] +performance = ["bottleneck (>=1.3.2)", "numba (>=0.53.1)", "numexpr (>=2.7.1)"] +plot = ["matplotlib (>=3.6.1)"] +postgresql = ["SQLAlchemy (>=1.4.16)", "psycopg2 (>=2.8.6)"] +spss = ["pyreadstat (>=1.1.2)"] +sql-other = ["SQLAlchemy (>=1.4.16)"] +test = ["hypothesis (>=6.34.2)", "pytest (>=7.0.0)", "pytest-asyncio (>=0.17.0)", "pytest-xdist (>=2.2.0)"] +xml = ["lxml (>=4.6.3)"] + [[package]] name = "pygments" version = "2.15.1" @@ -352,6 +500,20 @@ files = [ [package.extras] plugins = ["importlib-metadata"] +[[package]] +name = "python-dateutil" +version = "2.8.2" +description = "Extensions to the standard Python datetime module" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7" +files = [ + {file = "python-dateutil-2.8.2.tar.gz", hash = "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86"}, + {file = "python_dateutil-2.8.2-py2.py3-none-any.whl", hash = "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"}, +] + +[package.dependencies] +six = ">=1.5" + [[package]] name = "python-dotenv" version = "1.0.0" @@ -398,6 +560,113 @@ urllib3 = ">=1.21.1,<3" socks = ["PySocks (>=1.5.6,!=1.5.7)"] use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"] +[[package]] +name = "simplejson" +version = "3.19.2" +description = "Simple, fast, extensible JSON encoder/decoder for Python" +optional = false +python-versions = ">=2.5, !=3.0.*, !=3.1.*, !=3.2.*" +files = [ + {file = "simplejson-3.19.2-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:3471e95110dcaf901db16063b2e40fb394f8a9e99b3fe9ee3acc6f6ef72183a2"}, + {file = "simplejson-3.19.2-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:3194cd0d2c959062b94094c0a9f8780ffd38417a5322450a0db0ca1a23e7fbd2"}, + {file = "simplejson-3.19.2-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:8a390e56a7963e3946ff2049ee1eb218380e87c8a0e7608f7f8790ba19390867"}, + {file = "simplejson-3.19.2-cp27-cp27m-manylinux2010_i686.whl", hash = "sha256:1537b3dd62d8aae644f3518c407aa8469e3fd0f179cdf86c5992792713ed717a"}, + {file = "simplejson-3.19.2-cp27-cp27m-manylinux2010_x86_64.whl", hash = "sha256:a8617625369d2d03766413bff9e64310feafc9fc4f0ad2b902136f1a5cd8c6b0"}, + {file = "simplejson-3.19.2-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:2c433a412e96afb9a3ce36fa96c8e61a757af53e9c9192c97392f72871e18e69"}, + {file = "simplejson-3.19.2-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:f1c70249b15e4ce1a7d5340c97670a95f305ca79f376887759b43bb33288c973"}, + {file = "simplejson-3.19.2-cp27-cp27mu-manylinux2010_i686.whl", hash = "sha256:287e39ba24e141b046812c880f4619d0ca9e617235d74abc27267194fc0c7835"}, + {file = "simplejson-3.19.2-cp27-cp27mu-manylinux2010_x86_64.whl", hash = "sha256:6f0a0b41dd05eefab547576bed0cf066595f3b20b083956b1405a6f17d1be6ad"}, + {file = "simplejson-3.19.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:2f98d918f7f3aaf4b91f2b08c0c92b1774aea113334f7cde4fe40e777114dbe6"}, + {file = "simplejson-3.19.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:7d74beca677623481810c7052926365d5f07393c72cbf62d6cce29991b676402"}, + {file = "simplejson-3.19.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:7f2398361508c560d0bf1773af19e9fe644e218f2a814a02210ac2c97ad70db0"}, + {file = "simplejson-3.19.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6ad331349b0b9ca6da86064a3599c425c7a21cd41616e175ddba0866da32df48"}, + {file = "simplejson-3.19.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:332c848f02d71a649272b3f1feccacb7e4f7e6de4a2e6dc70a32645326f3d428"}, + {file = "simplejson-3.19.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:25785d038281cd106c0d91a68b9930049b6464288cea59ba95b35ee37c2d23a5"}, + {file = "simplejson-3.19.2-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:18955c1da6fc39d957adfa346f75226246b6569e096ac9e40f67d102278c3bcb"}, + {file = "simplejson-3.19.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:11cc3afd8160d44582543838b7e4f9aa5e97865322844b75d51bf4e0e413bb3e"}, + {file = "simplejson-3.19.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:b01fda3e95d07a6148702a641e5e293b6da7863f8bc9b967f62db9461330562c"}, + {file = "simplejson-3.19.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:778331444917108fa8441f59af45886270d33ce8a23bfc4f9b192c0b2ecef1b3"}, + {file = "simplejson-3.19.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:9eb117db8d7ed733a7317c4215c35993b815bf6aeab67523f1f11e108c040672"}, + {file = "simplejson-3.19.2-cp310-cp310-win32.whl", hash = "sha256:39b6d79f5cbfa3eb63a869639cfacf7c41d753c64f7801efc72692c1b2637ac7"}, + {file = "simplejson-3.19.2-cp310-cp310-win_amd64.whl", hash = "sha256:5675e9d8eeef0aa06093c1ff898413ade042d73dc920a03e8cea2fb68f62445a"}, + {file = "simplejson-3.19.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:ed628c1431100b0b65387419551e822987396bee3c088a15d68446d92f554e0c"}, + {file = "simplejson-3.19.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:adcb3332979cbc941b8fff07181f06d2b608625edc0a4d8bc3ffc0be414ad0c4"}, + {file = "simplejson-3.19.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:08889f2f597ae965284d7b52a5c3928653a9406d88c93e3161180f0abc2433ba"}, + {file = "simplejson-3.19.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ef7938a78447174e2616be223f496ddccdbf7854f7bf2ce716dbccd958cc7d13"}, + {file = "simplejson-3.19.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a970a2e6d5281d56cacf3dc82081c95c1f4da5a559e52469287457811db6a79b"}, + {file = "simplejson-3.19.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:554313db34d63eac3b3f42986aa9efddd1a481169c12b7be1e7512edebff8eaf"}, + {file = "simplejson-3.19.2-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4d36081c0b1c12ea0ed62c202046dca11438bee48dd5240b7c8de8da62c620e9"}, + {file = "simplejson-3.19.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:a3cd18e03b0ee54ea4319cdcce48357719ea487b53f92a469ba8ca8e39df285e"}, + {file = "simplejson-3.19.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:66e5dc13bfb17cd6ee764fc96ccafd6e405daa846a42baab81f4c60e15650414"}, + {file = "simplejson-3.19.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:972a7833d4a1fcf7a711c939e315721a88b988553fc770a5b6a5a64bd6ebeba3"}, + {file = "simplejson-3.19.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:3e74355cb47e0cd399ead3477e29e2f50e1540952c22fb3504dda0184fc9819f"}, + {file = "simplejson-3.19.2-cp311-cp311-win32.whl", hash = "sha256:1dd4f692304854352c3e396e9b5f0a9c9e666868dd0bdc784e2ac4c93092d87b"}, + {file = "simplejson-3.19.2-cp311-cp311-win_amd64.whl", hash = "sha256:9300aee2a8b5992d0f4293d88deb59c218989833e3396c824b69ba330d04a589"}, + {file = "simplejson-3.19.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:b8d940fd28eb34a7084877747a60873956893e377f15a32ad445fe66c972c3b8"}, + {file = "simplejson-3.19.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:4969d974d9db826a2c07671273e6b27bc48e940738d768fa8f33b577f0978378"}, + {file = "simplejson-3.19.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:c594642d6b13d225e10df5c16ee15b3398e21a35ecd6aee824f107a625690374"}, + {file = "simplejson-3.19.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e2f5a398b5e77bb01b23d92872255e1bcb3c0c719a3be40b8df146570fe7781a"}, + {file = "simplejson-3.19.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:176a1b524a3bd3314ed47029a86d02d5a95cc0bee15bd3063a1e1ec62b947de6"}, + {file = "simplejson-3.19.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f3c7363a8cb8c5238878ec96c5eb0fc5ca2cb11fc0c7d2379863d342c6ee367a"}, + {file = "simplejson-3.19.2-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:346820ae96aa90c7d52653539a57766f10f33dd4be609206c001432b59ddf89f"}, + {file = "simplejson-3.19.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:de9a2792612ec6def556d1dc621fd6b2073aff015d64fba9f3e53349ad292734"}, + {file = "simplejson-3.19.2-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:1c768e7584c45094dca4b334af361e43b0aaa4844c04945ac7d43379eeda9bc2"}, + {file = "simplejson-3.19.2-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:9652e59c022e62a5b58a6f9948b104e5bb96d3b06940c6482588176f40f4914b"}, + {file = "simplejson-3.19.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:9c1a4393242e321e344213a90a1e3bf35d2f624aa8b8f6174d43e3c6b0e8f6eb"}, + {file = "simplejson-3.19.2-cp312-cp312-win32.whl", hash = "sha256:7cb98be113911cb0ad09e5523d0e2a926c09a465c9abb0784c9269efe4f95917"}, + {file = "simplejson-3.19.2-cp312-cp312-win_amd64.whl", hash = "sha256:6779105d2fcb7fcf794a6a2a233787f6bbd4731227333a072d8513b252ed374f"}, + {file = "simplejson-3.19.2-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:061e81ea2d62671fa9dea2c2bfbc1eec2617ae7651e366c7b4a2baf0a8c72cae"}, + {file = "simplejson-3.19.2-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4280e460e51f86ad76dc456acdbfa9513bdf329556ffc8c49e0200878ca57816"}, + {file = "simplejson-3.19.2-cp36-cp36m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:11c39fbc4280d7420684494373b7c5904fa72a2b48ef543a56c2d412999c9e5d"}, + {file = "simplejson-3.19.2-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bccb3e88ec26ffa90f72229f983d3a5d1155e41a1171190fa723d4135523585b"}, + {file = "simplejson-3.19.2-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1bb5b50dc6dd671eb46a605a3e2eb98deb4a9af787a08fcdddabe5d824bb9664"}, + {file = "simplejson-3.19.2-cp36-cp36m-musllinux_1_1_aarch64.whl", hash = "sha256:d94245caa3c61f760c4ce4953cfa76e7739b6f2cbfc94cc46fff6c050c2390c5"}, + {file = "simplejson-3.19.2-cp36-cp36m-musllinux_1_1_i686.whl", hash = "sha256:d0e5ffc763678d48ecc8da836f2ae2dd1b6eb2d27a48671066f91694e575173c"}, + {file = "simplejson-3.19.2-cp36-cp36m-musllinux_1_1_ppc64le.whl", hash = "sha256:d222a9ed082cd9f38b58923775152003765016342a12f08f8c123bf893461f28"}, + {file = "simplejson-3.19.2-cp36-cp36m-musllinux_1_1_x86_64.whl", hash = "sha256:8434dcdd347459f9fd9c526117c01fe7ca7b016b6008dddc3c13471098f4f0dc"}, + {file = "simplejson-3.19.2-cp36-cp36m-win32.whl", hash = "sha256:c9ac1c2678abf9270e7228133e5b77c6c3c930ad33a3c1dfbdd76ff2c33b7b50"}, + {file = "simplejson-3.19.2-cp36-cp36m-win_amd64.whl", hash = "sha256:92c4a4a2b1f4846cd4364855cbac83efc48ff5a7d7c06ba014c792dd96483f6f"}, + {file = "simplejson-3.19.2-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:0d551dc931638e2102b8549836a1632e6e7cf620af3d093a7456aa642bff601d"}, + {file = "simplejson-3.19.2-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:73a8a4653f2e809049999d63530180d7b5a344b23a793502413ad1ecea9a0290"}, + {file = "simplejson-3.19.2-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:40847f617287a38623507d08cbcb75d51cf9d4f9551dd6321df40215128325a3"}, + {file = "simplejson-3.19.2-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:be893258d5b68dd3a8cba8deb35dc6411db844a9d35268a8d3793b9d9a256f80"}, + {file = "simplejson-3.19.2-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e9eb3cff1b7d71aa50c89a0536f469cb8d6dcdd585d8f14fb8500d822f3bdee4"}, + {file = "simplejson-3.19.2-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:d0f402e787e6e7ee7876c8b05e2fe6464820d9f35ba3f172e95b5f8b699f6c7f"}, + {file = "simplejson-3.19.2-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:fbbcc6b0639aa09b9649f36f1bcb347b19403fe44109948392fbb5ea69e48c3e"}, + {file = "simplejson-3.19.2-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:2fc697be37585eded0c8581c4788fcfac0e3f84ca635b73a5bf360e28c8ea1a2"}, + {file = "simplejson-3.19.2-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:0b0a3eb6dd39cce23801a50c01a0976971498da49bc8a0590ce311492b82c44b"}, + {file = "simplejson-3.19.2-cp37-cp37m-win32.whl", hash = "sha256:49f9da0d6cd17b600a178439d7d2d57c5ef01f816b1e0e875e8e8b3b42db2693"}, + {file = "simplejson-3.19.2-cp37-cp37m-win_amd64.whl", hash = "sha256:c87c22bd6a987aca976e3d3e23806d17f65426191db36d40da4ae16a6a494cbc"}, + {file = "simplejson-3.19.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:9e4c166f743bb42c5fcc60760fb1c3623e8fda94f6619534217b083e08644b46"}, + {file = "simplejson-3.19.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0a48679310e1dd5c9f03481799311a65d343748fe86850b7fb41df4e2c00c087"}, + {file = "simplejson-3.19.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:c0521e0f07cb56415fdb3aae0bbd8701eb31a9dfef47bb57206075a0584ab2a2"}, + {file = "simplejson-3.19.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0d2d5119b1d7a1ed286b8af37357116072fc96700bce3bec5bb81b2e7057ab41"}, + {file = "simplejson-3.19.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2c1467d939932901a97ba4f979e8f2642415fcf02ea12f53a4e3206c9c03bc17"}, + {file = "simplejson-3.19.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:49aaf4546f6023c44d7e7136be84a03a4237f0b2b5fb2b17c3e3770a758fc1a0"}, + {file = "simplejson-3.19.2-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:60848ab779195b72382841fc3fa4f71698a98d9589b0a081a9399904487b5832"}, + {file = "simplejson-3.19.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:0436a70d8eb42bea4fe1a1c32d371d9bb3b62c637969cb33970ad624d5a3336a"}, + {file = "simplejson-3.19.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:49e0e3faf3070abdf71a5c80a97c1afc059b4f45a5aa62de0c2ca0444b51669b"}, + {file = "simplejson-3.19.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:ff836cd4041e16003549449cc0a5e372f6b6f871eb89007ab0ee18fb2800fded"}, + {file = "simplejson-3.19.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:3848427b65e31bea2c11f521b6fc7a3145d6e501a1038529da2391aff5970f2f"}, + {file = "simplejson-3.19.2-cp38-cp38-win32.whl", hash = "sha256:3f39bb1f6e620f3e158c8b2eaf1b3e3e54408baca96a02fe891794705e788637"}, + {file = "simplejson-3.19.2-cp38-cp38-win_amd64.whl", hash = "sha256:0405984f3ec1d3f8777c4adc33eac7ab7a3e629f3b1c05fdded63acc7cf01137"}, + {file = "simplejson-3.19.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:445a96543948c011a3a47c8e0f9d61e9785df2544ea5be5ab3bc2be4bd8a2565"}, + {file = "simplejson-3.19.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:4a8c3cc4f9dfc33220246760358c8265dad6e1104f25f0077bbca692d616d358"}, + {file = "simplejson-3.19.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:af9c7e6669c4d0ad7362f79cb2ab6784d71147503e62b57e3d95c4a0f222c01c"}, + {file = "simplejson-3.19.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:064300a4ea17d1cd9ea1706aa0590dcb3be81112aac30233823ee494f02cb78a"}, + {file = "simplejson-3.19.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9453419ea2ab9b21d925d0fd7e3a132a178a191881fab4169b6f96e118cc25bb"}, + {file = "simplejson-3.19.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9e038c615b3906df4c3be8db16b3e24821d26c55177638ea47b3f8f73615111c"}, + {file = "simplejson-3.19.2-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:16ca9c90da4b1f50f089e14485db8c20cbfff2d55424062791a7392b5a9b3ff9"}, + {file = "simplejson-3.19.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:1018bd0d70ce85f165185d2227c71e3b1e446186f9fa9f971b69eee223e1e3cd"}, + {file = "simplejson-3.19.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:e8dd53a8706b15bc0e34f00e6150fbefb35d2fd9235d095b4f83b3c5ed4fa11d"}, + {file = "simplejson-3.19.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:2d022b14d7758bfb98405672953fe5c202ea8a9ccf9f6713c5bd0718eba286fd"}, + {file = "simplejson-3.19.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:febffa5b1eda6622d44b245b0685aff6fb555ce0ed734e2d7b1c3acd018a2cff"}, + {file = "simplejson-3.19.2-cp39-cp39-win32.whl", hash = "sha256:4edcd0bf70087b244ba77038db23cd98a1ace2f91b4a3ecef22036314d77ac23"}, + {file = "simplejson-3.19.2-cp39-cp39-win_amd64.whl", hash = "sha256:aad7405c033d32c751d98d3a65801e2797ae77fac284a539f6c3a3e13005edc4"}, + {file = "simplejson-3.19.2-py3-none-any.whl", hash = "sha256:bcedf4cae0d47839fee7de344f96b5694ca53c786f28b5f773d4f0b265a159eb"}, + {file = "simplejson-3.19.2.tar.gz", hash = "sha256:9eb442a2442ce417801c912df68e1f6ccfcd41577ae7274953ab3ad24ef7d82c"}, +] + [[package]] name = "six" version = "1.16.0" @@ -660,6 +929,47 @@ files = [ lint = ["docutils-stubs", "flake8", "mypy"] test = ["pytest"] +[[package]] +name = "stix2" +version = "3.0.1" +description = "Produce and consume STIX 2 JSON content" +optional = false +python-versions = ">=3.6" +files = [ + {file = "stix2-3.0.1-py2.py3-none-any.whl", hash = "sha256:827acf0b5b319c1b857c9db0d54907bb438b2b32312d236c891a305ad49b0ba2"}, + {file = "stix2-3.0.1.tar.gz", hash = "sha256:2a2718dc3451c84c709990b2ca220cc39c75ed23e0864d7e8d8190a9365b0cbf"}, +] + +[package.dependencies] +pytz = "*" +requests = "*" +simplejson = "*" +stix2-patterns = ">=1.2.0" + +[package.extras] +semantic = ["haversine", "rapidfuzz"] +taxii = ["taxii2-client (>=2.3.0)"] + +[[package]] +name = "stix2-patterns" +version = "2.0.0" +description = "Validate STIX 2 Patterns." +optional = false +python-versions = ">=3.6" +files = [ + {file = "stix2-patterns-2.0.0.tar.gz", hash = "sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08"}, + {file = "stix2_patterns-2.0.0-py2.py3-none-any.whl", hash = "sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458"}, +] + +[package.dependencies] +antlr4-python3-runtime = ">=4.9.0,<4.10.0" +six = "*" + +[package.extras] +dev = ["bumpversion", "check-manifest", "coverage", "pre-commit", "pytest", "pytest-cov", "sphinx", "sphinx-prompt", "tox"] +docs = ["sphinx", "sphinx-prompt"] +test = ["coverage", "pytest", "pytest-cov"] + [[package]] name = "tornado" version = "6.3.2" @@ -680,6 +990,37 @@ files = [ {file = "tornado-6.3.2.tar.gz", hash = "sha256:4b927c4f19b71e627b13f3db2324e4ae660527143f9e1f2e2fb404f3a187e2ba"}, ] +[[package]] +name = "tqdm" +version = "4.66.1" +description = "Fast, Extensible Progress Meter" +optional = false +python-versions = ">=3.7" +files = [ + {file = "tqdm-4.66.1-py3-none-any.whl", hash = "sha256:d302b3c5b53d47bce91fea46679d9c3c6508cf6332229aa1e7d8653723793386"}, + {file = "tqdm-4.66.1.tar.gz", hash = "sha256:d88e651f9db8d8551a62556d3cff9e3034274ca5d66e93197cf2490e2dcb69c7"}, +] + +[package.dependencies] +colorama = {version = "*", markers = "platform_system == \"Windows\""} + +[package.extras] +dev = ["pytest (>=6)", "pytest-cov", "pytest-timeout", "pytest-xdist"] +notebook = ["ipywidgets (>=6)"] +slack = ["slack-sdk"] +telegram = ["requests"] + +[[package]] +name = "tzdata" +version = "2023.3" +description = "Provider of IANA time zone data" +optional = false +python-versions = ">=2" +files = [ + {file = "tzdata-2023.3-py2.py3-none-any.whl", hash = "sha256:7e65763eef3120314099b6939b5546db7adce1e7d6f2e179e3df563c70511eda"}, + {file = "tzdata-2023.3.tar.gz", hash = "sha256:11ef1e08e54acb0d4f95bdb1be05da659673de4acbd21bf9c69e94cc5e907a3a"}, +] + [[package]] name = "urllib3" version = "2.0.4" @@ -715,4 +1056,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p [metadata] lock-version = "2.0" python-versions = "^3.8" -content-hash = "01172af7d2e48b87aaa7870bfd9a6086429f42ac73be4a83e718906694e9ad48" +content-hash = "69072f68935029be2c79983264d5d83ebe8e392b831db73d2ef11003fe7fd057" diff --git a/pyproject.toml b/pyproject.toml index bdb5a82..c3355ab 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,6 +10,11 @@ packages = [] [tool.poetry.dependencies] python = "^3.8" pytz = "^2023.3" +stix2 = "^3.0.1" +pandas = "2.0.0" +tqdm = "^4.66.1" +openpyxl = "^3.1.2" +requests = "^2.31.0" sphinxcontrib-excel-table = "^1.0.8" sphinx-panels = "^0.6.0" sphinxawesome-theme = "^4.1.0" diff --git a/src/README.md b/src/README.md new file mode 100644 index 0000000..379bb88 --- /dev/null +++ b/src/README.md @@ -0,0 +1,35 @@ +# Tools for Sensor Mappings to MITRE ATT&CK® + +This directory contains a Python package of tools for working with data generated from sensors mappings to ATT&CK. + +## Set up + +You will need the following prerequisites to run the tools: + +1. [Python (≥3.10)](https://www.python.org/downloads/) +2. [Python Poetry](https://python-poetry.org/docs/#installation) + +Once you have the repository cloned, run the following one-time command to initialize a virtual environment and install dependencies: + +``` +poetry install +``` + +Once the dependencies are installed, you will need to activate the [virtual environment](https://python-poetry.org/docs/basic-usage/#activating-the-virtual-environment) in each terminal window prior to using the Python tools. + +``` +poetry shell +``` + +## Tools + +The tools are organized into the following subdirectories. Click the link to view detailed instructions for working with those tools. + +| Directory | Description | +| ----------------------------- | ----------------------------------------------------------------------------------- | +| [`parse/`](./parse) | Script for parsing sensor data and mappings spreadsheets. | +| [`util/`](./util) | Utility scripts to process mappings data, such as Navigator layers, CSV files, etc. | + +## Customization + +To create customized mappings, edit the input data in the [`inputs/`](../mappings/input) directory and then use the tools above to regenerate the outputs. diff --git a/src/parse/README.md b/src/parse/README.md new file mode 100644 index 0000000..d429d50 --- /dev/null +++ b/src/parse/README.md @@ -0,0 +1,25 @@ +# Stix Scripts and Data +This folder contains mappings of sensor data to STIX along with the parsing tool + +| File | Description | +| :------------------------------------- | :---------------------------------------------------------------------------------------------------------------- | +| [generate_stix.py](#generate_stix) | Script to build the raw STIX data from the input spreadsheets. Generates a file for each sensor source | + +## parse.py +### Description +Script to build the raw STIX data from the input spreadsheets to generate STIX data. Exports STIX relationship objects and utilizes the CustomObject decorator in STIX2 for the creation of new Data Source, Data Component and Sensor Mapping STIX objects. The script pulls the specified ATT&CK domain data down in STIX format, using the specified ATT&CK version from the given config_location. A file for referencing all created STIX objects is created in output_folder to avoid overwriting STIX IDs when regenerating outputs. + +### Use +| Argument | Description | Default Value | +| :------------------ | :----------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------- | +| attack_domain | attack domain we are mapping. i.e. 'enterprise-attack', 'mobile-attack', 'ics-attack'| enterprise-attack | +| config_location | filepath to the configuration file for the framework | `../../mappings/input/config.json` | +| mappings_location | filepath to the CSV spreadsheets to write the mappings | `../../mappings/input/enterprise/csv` | +| output_folder | folder where STIX bundle files will be saved. | `../../mappings/stix/enterprise` | +| groups | flag for making mappings to group objects | N/A | + + +Generate STIX data from Enterprise ATT&CK +``` +python generate_stix.py -attack_domain enterprise-attack +``` \ No newline at end of file diff --git a/src/parse/generate_stix.py b/src/parse/generate_stix.py new file mode 100644 index 0000000..9a20571 --- /dev/null +++ b/src/parse/generate_stix.py @@ -0,0 +1,531 @@ +import uuid +import json +from pathlib import Path +import argparse + +import requests +from tqdm import tqdm +import pandas as pd +from stix2.properties import StringProperty, ReferenceProperty, EnumProperty, ListProperty +from stix2.v21 import Bundle, CustomObject, ExternalReference, Relationship + + +@CustomObject( + 'x-mitre-data-source', [ + ("name", StringProperty()), + ("description", StringProperty()), + ("x_mitre_platforms", ListProperty(StringProperty())), + ("x_mitre_domains", ListProperty(EnumProperty(allowed=['enterprise-attack', 'mobile-attack', 'ics-attack']))), + ("x_mitre_contributors", ListProperty(StringProperty())), + ("x_mitre_collection_layers", ListProperty(StringProperty())), + ("object_marking_refs", ListProperty(ReferenceProperty(valid_types=['marking-definition']))), + ("created_by_ref", ReferenceProperty(valid_types=['identity'])), + ("external_references", ListProperty(ExternalReference)), + ("x_mitre_version", StringProperty()), + ("x_mitre_attack_spec_version", StringProperty()), + ("x_mitre_modified_by_ref", ReferenceProperty(valid_types=['identity'])) + ] +) + + +class DataSource(): + """Custom MITRE Data Source STIX object.""" + def __init__(self, **kwargs): + pass + + +@CustomObject( + 'x-mitre-data-component', [ + ('name', StringProperty()), + ('description', StringProperty()), + ('x_mitre_data_source_ref', ReferenceProperty(valid_types=['x-mitre-data-source'])), + ("x_mitre_version", StringProperty()), + ("x_mitre_attack_spec_version", StringProperty()), + ("x_mitre_domains", ListProperty(EnumProperty(allowed=['enterprise-attack', 'mobile-attack', 'ics-attack']))), + ("x_mitre_modified_by_ref", ReferenceProperty(valid_types=['identity'])), + ("created_by_ref", ReferenceProperty(valid_types=['identity'])), + ("object_marking_refs", ListProperty(ReferenceProperty(valid_types=['marking-definition']))) + ] +) + + +class DataComponent(): + """Custom MITRE Data Component STIX object.""" + def __init__(self, **kwargs): + pass + + +@CustomObject( + 'x-mitre-sensor-mapping', [ + ("event_id", StringProperty()), + ("description", StringProperty()), + ("data_source", StringProperty()), + ("data_component", StringProperty()), + ("source", StringProperty()), + ("relationship", StringProperty()), + ("target", StringProperty()), + ("x_mitre_data_source_id", StringProperty()) + ] +) + + +class SensorMapping(): + """Custom MITRE sensor data mapping STIX object.""" + def __init__(self, **kwargs): + pass + + + def equals(self, properties): + """Returns if a SensorMapping is equivalent to the given `properties` dictionary or SensorMapping.""" + prop_map = { + "EVENT ID": "event_id", + "EVENT DESCRIPTION": "description", + "ATT&CK DATA SOURCE ID": "x_mitre_data_source_id", + "ATT&CK DATA SOURCE": "data_source", + "ATT&CK DATA COMPONENT": "data_component", + "SOURCE": "source", + "RELATIONSHIP": "relationship", + "TARGET": "target" + } # Keys are for DataFrame keys. Values are for the corresponding STIX keys. + for key in properties: + if self[prop_map[key]] != properties[key]: + return False + + return True + + +def load_attack_data(version, attack_domain, groups): + """Load ATT&CK STIX data to create reference dictionaries to use when building STIX Bundles.""" + def merge_lists(l1, l2): + for item in l2: + if item not in l1: + l1.append(item) + return l1 + + # load ATT&CK STIX data + print("downloading ATT&CK data... ", end="", flush=True) + if groups: + enterprise_url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/enterprise-attack/enterprise-attack.json" + ics_url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/ics-attack/ics-attack.json" + mobile_url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/mobile-attack/mobile-attack.json" + attack_data = requests.get(enterprise_url, verify=True).json()["objects"] + attack_data = merge_lists(attack_data, requests.get(ics_url, verify=True).json()["objects"]) + attack_data = merge_lists(attack_data, requests.get(mobile_url, verify=True).json()["objects"]) + else: + attack_url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{version}/{attack_domain}/{attack_domain}.json" + print(attack_url) + attack_data = requests.get(attack_url, verify=True).json()["objects"] + print("done") + + # Now filter attack_data to only have the information we require + source_ids_references = {} + component_ids = {} + tqdm_format = "{desc}: {percentage:3.0f}% |{bar}| {elapsed}<{remaining}{postfix}" + + # Find the already-existing SDO's to avoid duplication + for attack_object in tqdm(attack_data, desc=f"parsing v{version} {attack_domain} data", bar_format=tqdm_format): + type_data_source = "x-mitre-data-source" + type_data_component = "x-mitre-data-component" + + if attack_object["type"] == type_data_source: + if "external_references" not in attack_object: + continue # skip objects without sources_reference + if attack_object.get("revoked", False): + continue # skip revoked objects + if attack_object.get("x_mitre_deprecated", False): + continue # skip deprecated objects + + # map attack ID to stix ID + for reference in attack_object["external_references"]: + if reference["source_name"] == "mitre-attack": + # Map the ATT&CK Data Source ID to its STIX ID + source_ids_references[reference["external_id"]] = attack_object["id"] + + elif attack_object["type"] == type_data_component: + component_ids[attack_object["name"]] = attack_object["id"] + return (source_ids_references, component_ids) + + +def bundle_append(bundle, object_to_add): + """Checks to see if `object_to_add` has already been added to `bundle`. If it has not, + it is added.""" + simple_bundle = [item["id"] for item in bundle] + if object_to_add["id"] not in simple_bundle: + bundle.append(object_to_add) + + +def check_mapping_sdo(search_target, obj_list): + """ + Check if `search_target` is in `obj_list`. Return a SensorMapping STIX ID iff all properties of `search_target` are identical to the SensorMapping object's properties from `obj_list. + + Parameters: + `search_target` (Dict): Mapping data for a Sensor Mapping SDO. + `obj_list` (List): List of created SDOs. + """ + + for sdo in obj_list: + if sdo.equals(search_target): + return sdo + + return None + + +def create_stix_object(reference_dict, created_objects, object_type, object_details): + """ + Creates an SDO according to the logic: + - Is it already created within the reference dictionary? + - If not, has it already been created and stored? + - If neither, create an entirely new SDO + + Parameters: + reference_dict (dict): Dictionary of STIX objects details created from an already existing JSON. + created_objects (dict): Dictionary of STIX objects that have already been created thus far. Key : Value + object_type (str): Type of SDO object being created + object_details (dict): Attributes for the object. Varies on `object_type` + + Returns: + Custom STIX Object + """ + id_to_reuse = None + + if object_type == "Sensor Mapping": # It's more complicated since these custom objects are stored as lists + # Check reference_dict first + if object_details["EVENT ID"] in reference_dict: + potential_matches = reference_dict[object_details["EVENT ID"]] + id_to_reuse = check_mapping_sdo(object_details, potential_matches) + if id_to_reuse: + # There is no need to continue, the object has already been created. + return id_to_reuse + # Check created_objects next + elif object_details["EVENT ID"] in created_objects: + potential_matches = created_objects[object_details["EVENT ID"]] + id_to_reuse = check_mapping_sdo(object_details, potential_matches) + if id_to_reuse: + # There is no need to continue, the object has already been created. + return id_to_reuse + + if not id_to_reuse: # If there are no matches, create a new ID for the custom object. + id_to_reuse = f"x-mitre-sensor-mapping--{uuid.uuid4()}" + + new_sdo = SensorMapping( + id=id_to_reuse, + event_id=object_details["EVENT ID"], + description=object_details["EVENT DESCRIPTION"], + data_source=object_details["ATT&CK DATA SOURCE"], + data_component=object_details["ATT&CK DATA COMPONENT"], + source=object_details["SOURCE"], + relationship=object_details["RELATIONSHIP"], + target=object_details["TARGET"], + x_mitre_data_source_id=object_details["ATT&CK DATA SOURCE ID"] + ) + # Keep a reference for the new object + if object_details["EVENT ID"] not in created_objects: + created_objects[object_details["EVENT ID"]] = [new_sdo] + else: + created_objects[object_details["EVENT ID"]].append(new_sdo) + + else: + # Check reference_dict first + if object_details["name"] in reference_dict: + # Extract the SDO ID + id_to_reuse = reference_dict[object_details["name"]] + # Check created_objects next + elif object_details["name"] in created_objects: + # There is no need to continue, the object has already been created. + return created_objects[object_details["name"]] + # If neither contain new object, create a new STIX object according to the object_type + + if not id_to_reuse: + ref = { + "Data Source": "x-mitre-data-source", + "Data Component": "x-mitre-data-component" + } + id_to_reuse = f"{ref[object_type]}--{uuid.uuid4()}" + + match object_type: + case "Data Source": + new_sdo = DataSource( + id=id_to_reuse, + name=object_details["name"], + x_mitre_contributors=["Center for Threat-Informed Defense (CTID)"], + object_marking_refs=["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], + x_mitre_version="1.0", + x_mitre_attack_spec_version="2.1.0", + x_mitre_domains=object_details["domain"], + created_by_ref="identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + x_mitre_modified_by_ref="identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + external_references = [] + ) + case "Data Component": + new_sdo = DataComponent( + id=id_to_reuse, + name=object_details["name"], + x_mitre_data_source_ref=object_details["source ref"], + x_mitre_version="1.0", + x_mitre_attack_spec_version="2.1.0", + x_mitre_domains=object_details["domain"], + x_mitre_modified_by_ref="identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + created_by_ref="identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + object_marking_refs=["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], + allow_custom=True + ) + case _: + raise NotImplementedError("Unexpected object type.") + # Update input parameters + created_objects[object_details["name"]] = new_sdo + return new_sdo + + +def parse_mappings(mappings_location, config_location, attack_domain, data_sdo_ids, relationship_ids, mapped_sensor_sdos, groups=False): + """ + Parse the sensor mappings and return a STIX Bundle with relationship objects conveying the mappings in STIX format. + + :param mappings_location the filepath to the mappings CSV file + :param config_location: the filepath to the JSON configuration file. + :param relationship_ids is a dict of format {relationship-source-id---relationship-target-id -> relationship-id} which maps relationships to desired STIX IDs + :return List of tuples: (Source Mappings, stix2 Bundle) + """ + print("reading framework config... ", end="", flush=True) + # load the mapping config + with config_location.open("r", encoding="utf-8") as f: + config = json.load(f) + version = config["attack_version"] + print("done") + + attack_data_sources, attack_data_components = load_attack_data(version, attack_domain, groups) + + # Match case of attack_data for Data Components to the mappings + attack_data_components = {k.replace(" ", "_").lower(): v for k,v in attack_data_components.items()} + tqdm_format = "{desc}: {percentage:3.0f}% |{bar}| {elapsed}<{remaining}{postfix}" + + # build STIX objects + stix_new_sdo = {} # Holds all new SDO items + bundle_tuples = [] + + attack_type = attack_domain.split('-')[0] + mapping_data = [f for f in mappings_location.glob('*.csv') if f.is_file() and attack_type in f.name] + + stix_relationships = {} + for _csv in mapping_data: + source = _csv.name[:_csv.name.find("-sensors")] + + curr_bundle_objects = [] + mappings_df = pd.read_csv(_csv, keep_default_na=False, header=0) + for idx, row in tqdm(list(mappings_df.iterrows()), desc=f"parsing {source} mappings", bar_format=tqdm_format): + # Check if the data source is already defined in STIX + # If not, create a new SDO + data_source_name = row["ATT&CK DATA SOURCE"] + data_source_id = row["ATT&CK DATA SOURCE ID"] + if data_source_id == "-1": + # A new data source + sdo_details = create_stix_object( + reference_dict=data_sdo_ids, + created_objects=stix_new_sdo, + object_type="Data Source", + object_details={ + "name": data_source_name, + "domain": attack_domain + } + ) + # A new custom SDO. Add the new object to the current bundle + # The newly created SDO will not have all of its fields filled out. Missing fields may be added in the next version. + # Update the SDO with the missing properties using the following command: + # NEW_SDO.new_version(PROPERTY=PROPERTY_VALUE) + data_source_stix_ID = sdo_details.id + bundle_append(curr_bundle_objects, sdo_details) + else: + data_source_stix_ID = attack_data_sources[data_source_id] + + # Check if the data component is already defined in STIX + # If not, create a new SDO + data_component = row["ATT&CK DATA COMPONENT"] + if data_component in attack_data_components: + data_component_stix_ID = attack_data_components[data_component] + else: + sdo_details = create_stix_object( + reference_dict=data_sdo_ids, + created_objects=stix_new_sdo, + object_type="Data Component", + object_details={ + "name": data_component, + "source ref": data_source_stix_ID, + "domain": attack_domain + } + ) + if isinstance(sdo_details, DataComponent): + # A new custom SDO. The newly created SDO will not have all of its fields filled out. Missing fields may be added in the next version. + # Update the SDO with the missing properties using the following command: + # NEW_SDO.new_version(PROPERTY=PROPERTY_VALUE) + data_component_stix_ID = sdo_details.id + bundle_append(curr_bundle_objects, sdo_details) + + # Make the mappings SDO + sdo_details = create_stix_object( + reference_dict=mapped_sensor_sdos, + created_objects=stix_new_sdo, + object_type="Sensor Mapping", + object_details=row.to_dict() + ) + bundle_append(curr_bundle_objects, sdo_details) + + # Create a STIX SRO between the Data Source and Data Component + relation = row["RELATIONSHIP"] + + joined_id = f"{data_source_stix_ID}---{data_component_stix_ID}" + if joined_id in relationship_ids: + relationship_id = relationship_ids[joined_id] + else: + relationship_id = f"relationship--{uuid.uuid4()}" + + relationship = Relationship( + id = relationship_id, + source_ref = data_source_stix_ID, + target_ref = data_component_stix_ID, + relationship_type = relation, + allow_custom=True + ) + bundle_append(curr_bundle_objects, relationship) + if joined_id not in stix_relationships: + stix_relationships[joined_id] = relationship + + # Create a bundle for each CSV. Format: (Source Name, Bundle) + bundle = Bundle( + objects = curr_bundle_objects, + allow_custom = True # Needed since ATT&CK data has custom objects + ) + bundle_tuples.append((source, bundle)) + + # Report on new SDOs created + print("\nNew STIX Objects:") + for object in dict(sorted(stix_new_sdo.items())): + if isinstance(stix_new_sdo[object], list): + # Indicates a SensorMapping + continue + print(f"\t{object}\t\t {stix_new_sdo[object]['id'] : >100}") + + # Split the objects that will be written to the reference file. + data_sdos = {_tuple_: stix_new_sdo[_tuple_] for _tuple_ in stix_new_sdo if not isinstance(stix_new_sdo[_tuple_], list)} + _sensor_sdos = {_tuple_: stix_new_sdo[_tuple_] for _tuple_ in stix_new_sdo if isinstance(stix_new_sdo[_tuple_], list)} + # Flatten these dictionaries of lists for bundling + mappings = [] + for _, sdo_list in _sensor_sdos.items(): + mappings.extend(sdo_list) + + bundle_tuples.append(("Reference-for", Bundle( + objects = list(stix_relationships.values()) + list(data_sdos.values()) + mappings, + allow_custom = True + ))) + return bundle_tuples + + +def to_stix_json(bundle_list, output_path): + """Helper function to write a STIX bundle to a file""" + for bundle_tuple in bundle_list: + source, bundle = bundle_tuple + print(f"Bundling and serializing {source} mappings data to JSON file...") + + output_fname = Path(f"{source}-mappings-enterprise.json") + path = output_path.joinpath(output_fname) + with path.open('w', encoding="utf-8") as outfile: + bundle.fp_serialize(outfile, pretty=False, ensure_ascii=False, sort_keys=True, indent=4, include_optional_defaults=True) + print(f'\nDone! See {output_path}\n') + + +def _parse_args(): + ROOT_DIR = Path(__file__).parent.parent.parent + + parser = argparse.ArgumentParser(description="Create STIX files from sensor mapping data") + parser.add_argument("-attack_domain", + dest="attack_domain", + help="Attack domain we are mapping. i.e. 'enterprise-attack', 'mobile-attack', 'ics-attack'", + type=str, + choices=["enterprise-attack", "ics-attack", "mobile-attack"], + default="enterprise-attack") + parser.add_argument("-output_folder", + dest="output_location", + help="The folder where STIX bundle file will be saved.", + type=Path, + default=Path(ROOT_DIR, "mappings", "stix", "enterprise")) + parser.add_argument("-config_location", + dest="config_location", + help="filepath to the configuration for the framework", + type=Path, + default=Path(ROOT_DIR, "mappings", "input", "config.json")) + parser.add_argument("-groups", + action="store_true", + help="If specified, create mappings for group objects") + parser.add_argument("-mappings_location", + dest="mappings_location", + help="The folder to the CSV spreadsheets to write the mappings", + type=Path, + default=Path(ROOT_DIR, "mappings", "input", + "enterprise", "csv")) + return parser.parse_args() + + +def use_reference_file(reference_file): + """Helper method extract information about STIX objects from a file on disk. Intended to avoid duplication of SDOs.""" + with reference_file.open("r", encoding="utf-8") as f: + bundle = json.load(f) + + relationship_ids = {} + data_sdo_ids = {} + mapping_objects = {} + + for sdo in bundle["objects"]: + if sdo["type"] in ["x-mitre-data-component", "x-mitre-data-source"]: + data_sdo_ids[sdo["name"]] = sdo["id"] + elif sdo["type"] == "relationship": + from_id = f"{sdo['source_ref']}---{sdo['target_ref']}" + to_id = sdo["id"] + relationship_ids[from_id] = to_id + elif sdo["type"] == "x-mitre-sensor-mapping": + # Sensor Mapping objects can share the 'event_id' field. + # Need to store the entire SDO in order to validate all properties (to reuse the ID) + if sdo["event_id"] not in mapping_objects: + mapping_objects[sdo["event_id"]] = [sdo] + else: + mapping_objects[sdo["event_id"]].append(sdo) + # For every Sensor Mapping SDO stored, it should be converted to a SensorMapping custom object for comparison. + for event_key in mapping_objects: + for index, sdo_dict in enumerate(mapping_objects[event_key]): + mapping_objects[event_key][index] = SensorMapping( + id=sdo_dict["id"], + event_id=sdo_dict["event_id"], + description=sdo_dict["description"], + data_source=sdo_dict["data_source"], + data_component=sdo_dict["data_component"], + relationship=sdo_dict["relationship"], + target=sdo_dict["target"], + source=sdo_dict["source"], + x_mitre_data_source_id=sdo_dict["x_mitre_data_source_id"] + ) + return data_sdo_ids, relationship_ids, mapping_objects + + +if __name__ == "__main__": + """Main entry point to STIX file generation for Sensor data.""" + args = _parse_args() + + # Create output directories as needed + output_location = Path(args.output_location) + output_location.mkdir(parents=True, exist_ok=True) + + # Check if there are already existing STIX files so STIX IDs don't get replaced on rebuild + reference_file = [f for f in output_location.glob('Reference-for*.json') if f.is_file() and args.attack_domain.split('-')[0] in f.name] + if reference_file: + mapping_data_sdo_ids, relationship_ids, mapped_sensor_sdos = use_reference_file(*reference_file) + else: + mapping_data_sdo_ids, relationship_ids, mapped_sensor_sdos = ([] for _ in range(3)) + + + bundles = parse_mappings( + mappings_location=args.mappings_location, + config_location=args.config_location, + attack_domain=args.attack_domain, + data_sdo_ids=mapping_data_sdo_ids, + relationship_ids=relationship_ids, + mapped_sensor_sdos=mapped_sensor_sdos, + groups= True if args.groups else False) + + to_stix_json(bundles, output_location) diff --git a/src/util/README.md b/src/util/README.md new file mode 100644 index 0000000..8eebfcb --- /dev/null +++ b/src/util/README.md @@ -0,0 +1,42 @@ +# Utility Scripts +Contains scripts used to create auxiliary data for mappings + +| Script | Purpose | +| :--------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| [create_mappings.py](#create_mappingspy) | From the master excel spreadsheet, generate CSVs for sensor data mappings to be used with the parsing tool. | +| [create_heatmaps.py](#create_heatmapspy) | Enables visualization of the sensor mappings in the ATT&CK Matrix. Builds ATT&CK Navigator heatmap layers from mappings_location. These layers can also be found in the `layers` folder of the attack type in the stix output folder. | | + +## create_mappings.py +### Description +From the master excel spreadsheet, separate data by sensor, standardize it and generate CSVs. These will be used to generate STIX data. +### Use +| Argument | Description | Default Value | +| :------------------- | :------------------------------------------------------- | :--------------------------------------------------------------------------------------------- | +| config_location | filepath to the configuration for the framework | `../../mappings/input/config.json` | +| spreadsheet_location | filepath to the Excel spreadsheet for the mappings | `../../mappings/input/enterprise/xlsx/Sensor ID to Data Source to API v2.xlsx` | +| mappings_location | filepath to the folder to write CSV spreadsheets | `../../mappings/input/enterprise/csv` | + +Use with default arguments +``` +python create_mappings.py +``` + + +## create_heatmaps.py +### Description +Enables visualization of the sensor mappings in the ATT&CK Matrix. The script builds ATT&CK Navigator heatmap layers from the mappings_location folder. These layers can also be found in the `layers` folder of the attack domain in the stix output folder. +### Use +| Argument | Description | Default Value | +| :-------------- | :------------------------------------------------------------------------------------------------------ | :-------------------------------------------------------------------------------------- | +| mappings_location | filepath to the STIX Bundle mappings folder | `../../mappings/stix/enterprise` | +| domain | the domain of ATT&CK to visualize (options: enterprise-attack, ics-attack, mobile-attack) | enterprise-attack | +| output | folder to write output layers to | `../../mappings/stix/layers` | +| version | which ATT&CK version to use | 13.1 | +| clear | if flag is specified, will remove the contents of the output folder before writing layers | N/A | + + +To build layers from project root: +``` +$ python src/util/create_heatmaps.py -clear -domain enterprise-attack \ + -mappings_location mappings/stix/enterprise +``` diff --git a/src/util/create_heatmaps.py b/src/util/create_heatmaps.py new file mode 100644 index 0000000..4f9ca35 --- /dev/null +++ b/src/util/create_heatmaps.py @@ -0,0 +1,207 @@ +import json +from pathlib import Path +import argparse +import shutil + +import requests +import urllib.parse +from stix2 import Filter, MemoryStore + + +def create_comparison_layer(input_dir, domain, version): + """Take all created layers and create a single sheet that combines comments.""" + files_to_combine = [file for file in input_dir.glob("*heatmap.json") if file.is_file() and "comparison" not in file.name.lower()] + + # Combine all the technique dictionaries + layers = [] + for file in files_to_combine: + with file.open("r", encoding="utf-8") as f: + layers.append(json.load(f)) + + # Each object in all_techniques is a list of technique dictionaries + all_techniques = {} + + sensor_names = [layer["name"] for layer in layers] + for layer in layers: + technique_dicts = layer["techniques"] + for technique in technique_dicts: + attack_id = technique["techniqueID"] + comment = technique["comment"] + if attack_id not in all_techniques: + all_techniques[attack_id] = { + "score": 1, + "comment": comment + } + else: + all_techniques[attack_id]["comment"] += f"\n\n{comment}" + + # Calculate score at the end + for technique in all_techniques: + val = 0 + comment = all_techniques[technique]["comment"] + for name in sensor_names: + if name in comment: + val += 1 + all_techniques[technique]["score"] = val + + # Convert all_techniques to a list of technique dictionaries + techniques = [] + for technique_dict in all_techniques: + techniques.append({ + "techniqueID": technique_dict, + "score": all_techniques[technique_dict]["score"], + "comment": all_techniques[technique_dict]["comment"] + }) + + compared_layer = create_layer("Sensor Comparisons", domain, techniques, version) + + output_path = Path(input_dir, "sensor-comparison-heatmap.json") + with output_path.open("w", encoding="utf-8") as f: + json.dump(compared_layer, f, indent=4) + + +def create_layer(name, domain, techniques, version, description=""): + """create a Layer""" + min_mappings = min(map(lambda t: t["score"], techniques)) if len(techniques) > 0 else 0 + max_mappings = max(map(lambda t: t["score"], techniques)) if len(techniques) > 0 else 100 + gradient = ["#ff6666", "#ffe766ff", "#8ec843"] + # check if all the same count of mappings + if max_mappings - min_mappings == 0: + min_mappings = 0 # set low end of gradient to 0 + + # convert version to just major version + if version.startswith("v"): + version = version[1:] + version = version.split(".")[0] + + return { + "name": name, + "versions": { + "navigator": "4.8.2", + "layer": "4.4", + "attack": version + }, + "sorting": 0, + "description": description, + "domain": domain, + "techniques": techniques, + "gradient": { + "colors": gradient, + "minValue": min_mappings, + "maxValue": max_mappings + }, + } + + +def layer_technique_field(attack_id, event_ids, sensor_name): + """create a technique for a layer""" + return { + "techniqueID": attack_id, + "score": 1, + "comment": f"{sensor_name}: {', '.join(sorted(event_ids))}", # list of mapped event IDs + } + + +def to_technique_list(mappings, attack_data): + """ + Take `mappings` MemoryStore object and `attack_data` MemoryStore object. Query the x_mitre_data_source field and return found techniques as a dictionary(attack id -> set of event IDs). + """ + techniques = {} + for mapping in mappings.query(): + if mapping["type"] != "x-mitre-sensor-mapping": + continue + attack_data_source_query = f"{mapping['data_source']}: {mapping['data_component']}" + atk_patterns = attack_data.query(Filter("x_mitre_data_sources", "contains", attack_data_source_query)) + if not atk_patterns: + continue # Skip new data source & data component combinations + event_id = mapping["event_id"] + _techniques = [attack_id["external_references"][0]["external_id"] for attack_id in atk_patterns if not attack_id["x_mitre_is_subtechnique"]] + for attack_id in _techniques: + if attack_id in techniques: + techniques[attack_id].add(event_id) + else: + techniques[attack_id] = set([event_id]) + return techniques + + +def create_mappings_heatmap(files_to_visualize, out_dir, attack_data, domain, version, clear): + for current_file in files_to_visualize: + sensor_name = current_file.name[:current_file.name.find("-mappings")] + print(f"loading mappings from {current_file} ... ", end="", flush=True) + with open(current_file, "r") as f: + mappings = MemoryStore(stix_data=json.load(f)["objects"]) + print("done") + + print(f"generating layer for {sensor_name}... ", end="", flush=True) + tech_dict = to_technique_list(mappings, attack_data) + techs = [layer_technique_field(attack_id, tech_dict[attack_id], sensor_name) for attack_id in tech_dict] + layer = create_layer(name=sensor_name, domain=domain, techniques=techs, version=version) + + if clear: + print("clearing layers directory...", end="", flush=True) + shutil.rmtree(out_dir, ignore_errors=True) + print("done") + + # make path if it does not exist + print(f"writing layers for {sensor_name}... ", end="", flush=True) + layer_path = Path(out_dir, f"{sensor_name}-heatmap.json") + layer_path.parent.mkdir(parents=True, exist_ok=True) + with layer_path.open("w", encoding="utf-8") as f: + json.dump(layer, f, indent=4) + print("done\n") + + +def _parse_args(): + ROOT_DIR = Path(__file__).parent.parent.parent + + parser = argparse.ArgumentParser(description="Create ATT&CK Navigator layers from sensor data mappings") + parser.add_argument("-mappings_location", + dest="mappings_location", + help="filepath to the STIX Bundle mappings", + type=Path, + default=Path(ROOT_DIR, "mappings", "stix", + "enterprise")) + parser.add_argument("-domain", + dest="domain", + help="The domain of ATT&CK to visualize", + type=str, + choices=["enterprise-attack", "ics-attack", "mobile-attack"], + default="enterprise-attack") + parser.add_argument("-output", + dest="output_location", + help="The folder where layers will be saved to.", + type=Path, + default=Path(ROOT_DIR, "mappings", "stix", "layers")) + parser.add_argument("-version", + dest="version", + help="which ATT&CK version to use", + default="13.1") + parser.add_argument("-clear", + action="store_true", + help="if flag specified, will remove the contents the output folder before writing layers") + + return parser.parse_args() + + +def main(): + args = _parse_args() + domain_dirs = { + "enterprise-attack": "enterprise", + "ics-attack": "ics", + "mobile-attack": "mobile", + } + out_dir = Path(args.output_location, domain_dirs[args.domain]) + + url = f"https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v{args.version}/{args.domain}/{args.domain}.json" + print(f"downloading ATT&CK data from {url} ... ", end="", flush=True) + attack_data = MemoryStore(stix_data=requests.get(url, verify=True).json()["objects"]) + print("done") + + files_to_visualize = [file for file in args.mappings_location.glob('*mappings*.json') if file.is_file() and domain_dirs[args.domain] in file.name and 'reference' not in file.name.lower()] + + create_mappings_heatmap(files_to_visualize, out_dir, attack_data, args.domain, args.version, args.clear) + create_comparison_layer(out_dir, args.domain, args.version) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/src/util/create_mappings.py b/src/util/create_mappings.py new file mode 100644 index 0000000..8e8f643 --- /dev/null +++ b/src/util/create_mappings.py @@ -0,0 +1,123 @@ +import argparse +import csv +import json +from pathlib import Path + +import numpy as np +import pandas as pd + + +def standardize(sheet, *columns_to_exclude): + """Helper method to standardize columns used for STIX data.""" + skip = ["Worksheet Name", "Event Description", "Event ID"] + list(*columns_to_exclude) + for col in sheet.columns: + # Remove whitespace + for idx, row in sheet.iterrows(): + # Pandas does not have a good way to select only string values in a column, so we iterate by row to do our replacements. + if isinstance(row[col], str): + sheet.loc[:, col] = sheet.loc[:, col].str.strip() + if col in skip: + # Avoid modifying these columns + continue + # Match case + sheet.loc[:, col] = sheet.loc[:, col].str.replace(" ", "_") + sheet.loc[:, col] = sheet.loc[:, col].str.lower() + sheet.drop_duplicates(inplace=True, ignore_index=True) + # After dropping duplicates, revert changes. + for col in sheet.columns: + for idx, row in sheet.iterrows(): + if isinstance(row[col], str): + if col in skip: + continue + sheet.loc[:, col] = sheet.loc[:, col].str.replace("_", " ") + sheet.loc[:, col] = sheet.loc[:, col].str.title() + sheet.loc[:, col] = sheet.loc[:, col].str.replace("Wmi", "WMI") + + +def get_sheets(spreadsheet_location, config_location): + """Helper method to separate combined Excel sheet into individual Dataframes""" + with config_location.open("r", encoding="utf-8") as f: + config = json.load(f) + version = config["attack_version"] + + df = pd.read_excel(spreadsheet_location, sheet_name="Combined Events", usecols="A,C:I") + standardize(df) + + # Merge in the Data Source ID's from the ATT&CK Data Source CSV + datasource_csv_location = spreadsheet_location.parent.parent.parent + data_source_ids = pd.read_csv(Path(datasource_csv_location, f"enterprise-attack-v{version}-datasources.csv"), usecols=[0, 1]) + + df = df.merge(data_source_ids, how="left", left_on="Data Source", right_on="name") + df.drop(columns=["name"], inplace=True) + df.rename(columns={"ID":"Data Source ID"}, inplace=True) + df = df[['Worksheet Name', 'Data Source', 'Data Source ID', 'Data Component', 'Event Description', + 'Event ID', 'Source', 'Relationship', 'Target']] + df["Data Source ID"] = df["Data Source ID"].apply(lambda n: -1 if pd.isna(n) else n) + # Where a value of `-1` indicates that this is a new ATT&CK Data Source + + worksheet_names = df["Worksheet Name"].dropna().unique() + sheets = [] + for _worksheet in worksheet_names: + _df = df[df["Worksheet Name"] == _worksheet].reset_index(drop=True) + sheets.append((_df, _worksheet)) + return sheets + + +def generate_csv_spreadsheet(sheets, mappings_location): + """Reads the main XSLX mappings file and creates a spreadsheet for the mappings in CSV""" + if not mappings_location.exists(): + mappings_location.mkdir(parents=True) + + for sheet, name in sheets: + with mappings_location.joinpath(f"{name}-sensors-mappings-enterprise.csv").open('w', newline='\n', encoding='utf-8') as csvfile: + fieldnames = ['EVENT ID', 'EVENT DESCRIPTION', 'ATT&CK DATA SOURCE ID', 'ATT&CK DATA SOURCE', 'ATT&CK DATA COMPONENT', 'SOURCE', 'RELATIONSHIP', 'TARGET'] + dataframe_fields = ['Event ID', 'Event Description', 'Data Source ID', 'Data Source', 'Data Component', 'Source', 'Relationship', 'Target'] + + writer = csv.DictWriter(csvfile, fieldnames=fieldnames) + writer.writeheader() + + for idx, row in sheet.iterrows(): + csv_row = {} + for i in range(len(fieldnames)): + if pd.isna(row[dataframe_fields[i]]): + continue + csv_row[fieldnames[i]] = row[dataframe_fields[i]] + is_mapped = (pd.notna(row["Data Source"])) and (pd.notna(row["Data Component"])) and (pd.notna(row["Relationship"])) + if is_mapped: + writer.writerow(csv_row) + # Skip any rows without mappable fields + + +def _parse_args(): + ROOT_DIR = Path(__file__).parent.parent.parent + + parser = argparse.ArgumentParser(description="Create mappings from sensors data") + parser.add_argument("-config_location", + dest="config_location", + help="filepath to the configuration for the framework", + type=Path, + default=Path(ROOT_DIR, "mappings", "input", "config.json")) + parser.add_argument("-spreadsheet_location", + dest="spreadsheet_location", + help="filepath to the Excel spreadsheet for the mappings", + type=Path, + default=Path(ROOT_DIR, "mappings", "input", + "enterprise", "xlsx", "Sensor ID to Data Source to API v2.xlsx")) + parser.add_argument("-mappings_location", + dest="mappings_location", + help="filepath to the folder to write CSV spreadsheets", + type=Path, + default=Path(ROOT_DIR, "mappings", "input", + "enterprise", "csv")) + return parser.parse_args() + + +def main(): + args = _parse_args() + sheets = get_sheets(args.spreadsheet_location, args.config_location) + generate_csv_spreadsheet(sheets, args.mappings_location) + + +if __name__ == '__main__': + main() +