Skip to main content
Skip table of contents

Axon: MITRE ATT&CK® Streaming Analytics User Guide

This user guide is meant to be used with the MITRE ATT&CK® Streaming Analytic rules and contains configuration and tuning notes.

T1003:OS Credential Dumping

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1007:System Service Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1012:Query Registry

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1016:System Network Configuration Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1018:Remote System Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1033:System Owner/User Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1053:Scheduled Task

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1059:Command and Scripting Interpreter

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1543.003:Windows Service

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1550.002:Pass the Hash

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1021.002:SMB/Windows Admin Shares

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1047:Windows Management Instrumentation

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1057:Process Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1059.001:PowerShell

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1069:Permission Groups Discovery

Streaming Analytic Filter:

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1070.006:Timestomp

Streaming Analytic Filter:

image-20240117-211357.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1082:System Information Discovery

Streaming Analytic Filter:

image-20240117-211536.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1087:Account Discovery

Streaming Analytic Filter:

image-20240117-211649.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1218.011:Rundll32

Streaming Analytic Filter:

image-20240117-211812.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1490:Inhibit System Recovery

Streaming Analytic Filter:

image-20240117-211929.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1547.001:Registry Run Keys/Startup Folder

Streaming Analytic Filter:

image-20240117-212046.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1218.010:Regsvr32

Streaming Analytic Filter:

image-20240117-212239.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1558.003:Kerberoasting:Invoke-Kerberoast

Streaming Analytic Filter:

image-20240117-212414.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1569.002:Service Execution

Streaming Analytic Filter:

image-20240117-212559.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1550.003:Pass the Ticket

Streaming Analytic Filter:

image-20240117-212724.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1562.002:Impair Defenses: Disable Windows Event Logging

Streaming Analytic Filter:

image-20240117-212852.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1106:Native API

Streaming Analytic Filter:

image-20240117-213018.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1134.002:Access Token Manipulation:Create Process with Token

Streaming Analytic Filter:

image-20240117-213133.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T113T1190:Exploit Public-Facing Application:SQL Injection4.002:Access Token Manipulation:Create Process with Token

Streaming Analytic Filter:

image-20240117-213428.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1484.002:Domain Trust Modification

Streaming Analytic Filter:

image-20240117-213539.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1489:Service Stop

Streaming Analytic Filter:

image-20240117-213726.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1539:Steal Web Session Cookie

Streaming Analytic Filter:

image-20240117-214603.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1621:MFA Request Generation:Rapid Okta AD Authentication Success

Streaming Analytic Filter:

image-20240117-214728.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1114.003:Email Forwarding

Streaming Analytic Filter:

image-20240117-214853.png

Configuration Notes:

Enable “Create Case” to automatically create a case upon detection.

This rule requires the M365 Threat Management log source.

T1083:File and Directory Discovery

Streaming Analytic Filter:

image-20240117-215024.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1566.001:Spearphishing Attachment

Streaming Analytic Filter:

image-20240122-172943.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

Streaming Analytic Filter:

image-20240117-215315.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1558.003:Kerberoasting:TGS Requests for Multiple Services

Streaming Analytic Filter:

image-20240125-170117.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

T1090.001:Proxy

Streaming Analytic Filter:

image-20240212-222122.png

Configuration Note:

Enable “Create Case” to automatically create a case upon detection.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.