Skip to main content
Skip table of contents

Axon: MITRE ATT&CK® Streaming Analytics User Guide

This user guide is meant to be used with the MITRE ATT&CK® Streaming Analytic rules and contains configuration and tuning notes.

T1003:OS Credential Dumping

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1007:System Service Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1012:Query Registry

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1016:System Network Configuration Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1018:Remote System Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1033:System Owner/User Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1053:Scheduled Task

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1059:Command and Scripting Interpreter

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1543.003:Windows Service

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1550.002:Pass the Hash

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1021.002:SMB/Windows Admin Shares

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1047:Windows Management Instrumentation

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1057:Process Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1059.001:PowerShell

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1069:Permission Groups Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1070.006:Timestomp

Streaming Analytic Filter:

image-20240117-211357.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1082:System Information Discovery

Streaming Analytic Filter:

image-20240117-211536.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1087:Account Discovery

Streaming Analytic Filter:

image-20240117-211649.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1218.011:Rundll32

Streaming Analytic Filter:

image-20240117-211812.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1490:Inhibit System Recovery

Streaming Analytic Filter:

image-20240117-211929.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1547.001:Registry Run Keys/Startup Folder

Streaming Analytic Filter:

image-20240117-212046.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1218.010:Regsvr32

Streaming Analytic Filter:

image-20240117-212239.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1558.003:Kerberoasting:Invoke-Kerberoast

Streaming Analytic Filter:

image-20240117-212414.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1569.002:Service Execution

Streaming Analytic Filter:

image-20240117-212559.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1550.003:Pass the Ticket

Streaming Analytic Filter:

image-20240117-212724.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1562.002:Impair Defenses: Disable Windows Event Logging

Streaming Analytic Filter:

image-20240117-212852.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1106:Native API

Streaming Analytic Filter:

image-20240117-213018.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1134.002:Access Token Manipulation:Create Process with Token

Streaming Analytic Filter:

image-20240117-213133.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T113T1190:Exploit Public-Facing Application:SQL Injection4.002:Access Token Manipulation:Create Process with Token

Streaming Analytic Filter:

image-20240117-213428.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1484.002:Domain Trust Modification

Streaming Analytic Filter:

image-20240117-213539.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1489:Service Stop

Streaming Analytic Filter:

image-20240117-213726.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1539:Steal Web Session Cookie

Streaming Analytic Filter:

image-20240117-214603.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1621:MFA Request Generation:Rapid Okta AD Authentication Success

Streaming Analytic Filter:

image-20240117-214728.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1114.003:Email Forwarding

Streaming Analytic Filter:

image-20240117-214853.png

Configuration Notes:

Enable “Create Case” to automatically create a case upon detection.

This rule requires the M365 Threat Management log source.

T1083:File and Directory Discovery

Streaming Analytic Filter:

image-20240117-215024.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1566.001:Spearphishing Attachment

Streaming Analytic Filter:

image-20240122-172943.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

Streaming Analytic Filter:

image-20240117-215315.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1558.003:Kerberoasting:TGS Requests for Multiple Services

Streaming Analytic Filter:

image-20240125-170117.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1090.001:Proxy

Streaming Analytic Filter:

image-20240212-222122.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1078.004:Cloud Accounts

Streaming Analytic Filter:

image-20240226-161531.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

This rule requires a List to be populated before enabling. Populate the “MA:Cloud Accounts” list with a list of cloud administrative accounts applicable to your company’s network, applications, services, etc.

T1059.001:PowerShell:ProviderLifeCycle

Streaming Analytic Filter:

image-20240227-162241.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1136.003:Cloud Account

Streaming Analytic Filter:

image-20240227-214533.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

Requires the Azure Active Directory log source.

T1199:Trusted Relationship

Streaming Analytic Filter:

image-20240227-234620.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

This rule requires a List to be populated before enabling. This analytic monitors for activity from third party accounts. Add the names of the accounts you would like to monitor to the list named "MA:Third Party Accounts". Refer to the Origin Account Name field of existing logs to ensure the account name format is correct.

T1078.001:Default Accounts

Streaming Analytic Filter:

image-20240228-162351.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

This rule requires a List to be populated before enabling. This analytic monitors for activity from default accounts. Add the names of the default accounts you would like to monitor to the list named "MA:Default Accounts". Refer to the Origin Account Name field of existing logs to ensure the account name format is correct.

T1621:MFA Request Generation:Okta Push from Non-Safelisted Location

Streaming Analytic Filter:

image-20240228-215213.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

This rule requires a List to be populated before enabling. This analytic monitors for activity from Safelisted Regions. Add the names of the safelisted regions you would like to monitor to the list named " Safelisted Regions".

T1078.003:Local Accounts

Streaming Analytic Filter:

image-20240301-164141.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

This rule requires a List to be populated before enabling. This analytic monitors for activity from local accounts. Populate the “MA:Local Accounts” list with a list of local accounts applicable to your company’s network, applications, services, etc. Refer to the Origin Account Name field of existing logs to ensure the account name format is correct.

T1621:MFA Request Generation:Repeated OKTA Push Denies then Allow

Streaming Analytic Filter:

image-20240305-225746.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1562.001:Disable or Modify Tools:Windows Defender

Streaming Analytic Filter:

image-20240404-214255.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1098:Account Manipulation

Streaming Analytic Filter:

image-20240424-213057.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close