You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
567 KiB
567 KiB
Matrix,Tactic,Technique,"Sub-Technique",App,Active,Available,"Needs data","Sub_Technique_Total","Tactic_Total","Technique_Total",Bookmarked,"Data Source",IsSubTechnique "Enterprise ATT&CK","Initial Access","Valid Accounts","-",Any,0,0,63,0,112,101,0,"::4,AWS::28,Anti-Virus or Anti-Malware::4,Authentication::24,Box::4,Change Events Data::20,GCP::20,Network Communication::4,SFDC::8,Ticket Management::8,User Activity Audit::4,Web Server::4,Windows Security::120",No "Enterprise ATT&CK","Initial Access","Valid Accounts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Valid Accounts","-","Enterprise Security Content Update",0,0,19,0,112,101,0,"::4,AWS::28,Change Events Data::20,GCP::20,Web Server::4,Windows Security::120",No "Enterprise ATT&CK","Initial Access","Valid Accounts","-","Splunk App for Enterprise Security",0,0,8,0,112,101,0,"Anti-Virus or Anti-Malware::4,Authentication::24,User Activity Audit::4,Windows Security::120",No "Enterprise ATT&CK","Initial Access","Valid Accounts","-","Splunk Security Essentials",0,0,22,0,112,101,0,"AWS::28,GCP::20,SFDC::8,Ticket Management::8,Windows Security::120",No "Enterprise ATT&CK","Initial Access","Valid Accounts","-","Splunk User Behavior Analytics",0,0,14,0,112,101,0,"Authentication::24,Box::4,Network Communication::4,Windows Security::120",No "Enterprise ATT&CK","Initial Access","Valid Accounts","Default Accounts",Any,0,0,4,4,112,101,0,"Okta::0",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Default Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Default Accounts","Enterprise Security Content Update",0,0,4,4,112,101,0,"Okta::0",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Default Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Default Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Default Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Domain Accounts",Any,0,1,4,5,112,101,0,"Change Events Data::20,HR System::0,Windows Security::120",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Domain Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Domain Accounts","Enterprise Security Content Update",0,1,4,5,112,101,0,"Change Events Data::20,HR System::0,Windows Security::120",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Domain Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Domain Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Domain Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Local Accounts",Any,0,0,3,3,112,101,0,"Change Events Data::20,Windows Security::120",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Local Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Local Accounts","Enterprise Security Content Update",0,0,1,3,112,101,0,"Change Events Data::20",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Local Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Local Accounts","Splunk Security Essentials",0,0,2,3,112,101,0,"Windows Security::120",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Local Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Cloud Accounts",Any,0,0,26,26,112,101,0,"AWS::28,Azure::0,Change Events Data::20",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Cloud Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Cloud Accounts","Enterprise Security Content Update",0,0,19,26,112,101,0,"AWS::28,Change Events Data::20",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Cloud Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Cloud Accounts","Splunk Security Essentials",0,0,7,26,112,101,0,"Azure::0",Yes "Enterprise ATT&CK","Initial Access","Valid Accounts","Cloud Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Local System","-",Any,0,0,1,0,30,1,0,"Microsoft Sysmon Logs::1",No "Enterprise ATT&CK",Collection,"Data from Local System","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Local System","-","Enterprise Security Content Update",0,0,1,0,30,1,0,"Microsoft Sysmon Logs::1",No "Enterprise ATT&CK",Collection,"Data from Local System","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Local System","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Local System","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Obfuscation","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Obfuscation","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Obfuscation","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Obfuscation","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Obfuscation","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Obfuscation","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","OS Credential Dumping","-",Any,0,0,6,0,35,33,0,"Endpoint Detection and Response::4,Windows Security::2",No "Enterprise ATT&CK","Credential Access","OS Credential Dumping","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","OS Credential Dumping","-","Enterprise Security Content Update",0,0,4,0,35,33,0,"Endpoint Detection and Response::4,Windows Security::2",No "Enterprise ATT&CK","Credential Access","OS Credential Dumping","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","OS Credential Dumping","-","Splunk Security Essentials",0,0,2,0,35,33,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK","Credential Access","OS Credential Dumping","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Direct Volume Access","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Direct Volume Access","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Direct Volume Access","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Direct Volume Access","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Direct Volume Access","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Direct Volume Access","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Service Discovery","-",Any,0,0,4,0,118,4,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK",Discovery,"System Service Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Service Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Service Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Service Discovery","-","Splunk Security Essentials",0,0,4,0,118,4,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK",Discovery,"System Service Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Windows Management Instrumentation","-",Any,0,0,13,0,49,13,0,"Endpoint Detection and Response::10,Windows Security::3",No "Enterprise ATT&CK",Execution,"Windows Management Instrumentation","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Windows Management Instrumentation","-","Enterprise Security Content Update",0,0,12,0,49,13,0,"Endpoint Detection and Response::10,Windows Security::3",No "Enterprise ATT&CK",Execution,"Windows Management Instrumentation","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Windows Management Instrumentation","-","Splunk Security Essentials",0,0,1,0,49,13,0,"Endpoint Detection and Response::10",No "Enterprise ATT&CK",Execution,"Windows Management Instrumentation","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","-",Any,0,0,7,0,56,7,0,"Anti-Virus or Anti-Malware::1,Box::2,Network Communication::4",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","-","Splunk User Behavior Analytics",0,0,7,0,56,7,0,"Anti-Virus or Anti-Malware::1,Box::2,Network Communication::4",No "Enterprise ATT&CK",Impact,"Data Destruction","-",Any,0,0,15,0,51,15,0,"Box::1,Endpoint Detection and Response::12,Microsoft Sysmon Logs::2",No "Enterprise ATT&CK",Impact,"Data Destruction","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Destruction","-","Enterprise Security Content Update",0,0,14,0,51,15,0,"Endpoint Detection and Response::12,Microsoft Sysmon Logs::2",No "Enterprise ATT&CK",Impact,"Data Destruction","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Destruction","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Destruction","-","Splunk User Behavior Analytics",0,0,1,0,51,15,0,"Box::1",No "Enterprise ATT&CK","Initial Access","Replication Through Removable Media","-",Any,0,0,3,0,112,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Initial Access","Replication Through Removable Media","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Replication Through Removable Media","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Replication Through Removable Media","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Replication Through Removable Media","-","Splunk Security Essentials",0,0,1,0,112,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Initial Access","Replication Through Removable Media","-","Splunk User Behavior Analytics",0,0,2,0,112,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Lateral Movement","Remote Services","-",Any,0,0,10,0,19,38,0,"Endpoint Detection and Response::3,Network Communication::2,Windows Security::5",No "Enterprise ATT&CK","Lateral Movement","Remote Services","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Remote Services","-","Enterprise Security Content Update",0,0,1,0,19,38,0,"Endpoint Detection and Response::3",No "Enterprise ATT&CK","Lateral Movement","Remote Services","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Remote Services","-","Splunk Security Essentials",0,0,7,0,19,38,0,"Endpoint Detection and Response::3,Network Communication::2,Windows Security::5",No "Enterprise ATT&CK","Lateral Movement","Remote Services","-","Splunk User Behavior Analytics",0,0,2,0,19,38,0,"Network Communication::2,Windows Security::5",No "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Obfuscation","Junk Data",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Junk Data","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Junk Data","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Junk Data","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Junk Data","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Junk Data","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSASS Memory",Any,0,0,13,13,35,33,1,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0,Windows Security::2",Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSASS Memory","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSASS Memory","Enterprise Security Content Update",0,0,13,13,35,33,1,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0,Windows Security::2",Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSASS Memory","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSASS Memory","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSASS Memory","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","Exfiltration Over Bluetooth",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","Exfiltration Over Bluetooth","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","Exfiltration Over Bluetooth","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","Exfiltration Over Bluetooth","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","Exfiltration Over Bluetooth","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Other Network Medium","Exfiltration Over Bluetooth","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Remote Desktop Protocol",Any,0,0,8,8,19,38,0,"Endpoint Detection and Response::3,Network Communication::2,Ticket Management::0,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Remote Desktop Protocol","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Remote Desktop Protocol","Enterprise Security Content Update",0,0,5,8,19,38,0,"Endpoint Detection and Response::3,Network Communication::2,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Remote Desktop Protocol","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Remote Desktop Protocol","Splunk Security Essentials",0,0,3,8,19,38,0,"Ticket Management::0,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Remote Desktop Protocol","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Windows)",Any,0,0,1,1,100,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Windows)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Windows)","Enterprise Security Content Update",0,0,1,1,100,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Windows)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Windows)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Windows)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Windows)",Any,0,0,1,1,102,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Windows)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Windows)","Enterprise Security Content Update",0,0,1,1,102,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Windows)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Windows)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Windows)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information",Credentials,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information",Credentials,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information",Credentials,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information",Credentials,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information",Credentials,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information",Credentials,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Domains,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Domains,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Domains,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Domains,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Domains,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Domains,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation",Steganography,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation",Steganography,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation",Steganography,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation",Steganography,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation",Steganography,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation",Steganography,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Security Account Manager",Any,0,0,7,7,35,33,0,"Endpoint Detection and Response::4,Windows Security::2",Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Security Account Manager","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Security Account Manager","Enterprise Security Content Update",0,0,7,7,35,33,0,"Endpoint Detection and Response::4,Windows Security::2",Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Security Account Manager","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Security Account Manager","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Security Account Manager","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","SMB/Windows Admin Shares",Any,0,0,8,8,19,38,0,"Endpoint Detection and Response::3,Network Communication::2,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","SMB/Windows Admin Shares","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","SMB/Windows Admin Shares","Enterprise Security Content Update",0,0,5,8,19,38,0,"Endpoint Detection and Response::3,Network Communication::2,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","SMB/Windows Admin Shares","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","SMB/Windows Admin Shares","Splunk Security Essentials",0,0,3,8,19,38,0,"Endpoint Detection and Response::3,Network Communication::2",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","SMB/Windows Admin Shares","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Mac)",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Mac)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Mac)","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Mac)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Mac)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Logon Script (Mac)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Mac)",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Mac)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Mac)","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Mac)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Mac)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Logon Script (Mac)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Email Addresses",Any,0,0,1,1,5,1,0,"Windows Security::0",Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Email Addresses","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Email Addresses","Enterprise Security Content Update",0,0,1,1,5,1,0,"Windows Security::0",Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Email Addresses","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Email Addresses","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Email Addresses","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","DNS Server",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","DNS Server","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","DNS Server","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","DNS Server","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","DNS Server","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","DNS Server","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Protocol Impersonation",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Protocol Impersonation","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Protocol Impersonation","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Protocol Impersonation","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Protocol Impersonation","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Obfuscation","Protocol Impersonation","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",NTDS,Any,0,0,6,6,35,33,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",NTDS,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",NTDS,"Enterprise Security Content Update",0,0,6,6,35,33,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",NTDS,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",NTDS,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",NTDS,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Distributed Component Object Model",Any,0,0,5,5,19,38,0,"Endpoint Detection and Response::3,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Distributed Component Object Model","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Distributed Component Object Model","Enterprise Security Content Update",0,0,5,5,19,38,0,"Endpoint Detection and Response::3,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Distributed Component Object Model","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Distributed Component Object Model","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Distributed Component Object Model","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Network Logon Script",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Network Logon Script","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Network Logon Script","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Network Logon Script","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Network Logon Script","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Network Logon Script","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Network Logon Script",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Network Logon Script","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Network Logon Script","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Network Logon Script","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Network Logon Script","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Network Logon Script","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Employee Names",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Employee Names","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Employee Names","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Employee Names","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Employee Names","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Identity Information","Employee Names","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Virtual Private Server",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Virtual Private Server","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Virtual Private Server","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Virtual Private Server","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Virtual Private Server","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Virtual Private Server","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSA Secrets",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSA Secrets","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSA Secrets","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSA Secrets","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSA Secrets","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","LSA Secrets","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",SSH,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",SSH,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",SSH,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",SSH,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",SSH,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",SSH,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","RC Scripts",Any,0,0,1,1,100,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","RC Scripts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","RC Scripts","Enterprise Security Content Update",0,0,1,1,100,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","RC Scripts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","RC Scripts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","RC Scripts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","RC Scripts",Any,0,0,1,1,102,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","RC Scripts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","RC Scripts","Enterprise Security Content Update",0,0,1,1,102,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","RC Scripts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","RC Scripts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","RC Scripts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Server,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Server,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Server,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Server,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Server,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Server,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Cached Domain Credentials",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Cached Domain Credentials","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Cached Domain Credentials","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Cached Domain Credentials","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Cached Domain Credentials","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Cached Domain Credentials","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",VNC,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",VNC,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",VNC,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",VNC,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",VNC,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services",VNC,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Startup Items",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Startup Items","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Startup Items","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Startup Items","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Startup Items","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Initialization Scripts","Startup Items","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Startup Items",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Startup Items","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Startup Items","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Startup Items","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Startup Items","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Initialization Scripts","Startup Items","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Botnet,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Botnet,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Botnet,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Botnet,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Botnet,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure",Botnet,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",DCSync,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",DCSync,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",DCSync,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",DCSync,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",DCSync,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping",DCSync,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Windows Remote Management",Any,0,0,7,7,19,38,0,"Endpoint Detection and Response::3,Ticket Management::0,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Windows Remote Management","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Windows Remote Management","Enterprise Security Content Update",0,0,6,7,19,38,0,"Endpoint Detection and Response::3,Windows Security::5",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Windows Remote Management","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Windows Remote Management","Splunk Security Essentials",0,0,1,7,19,38,0,"Ticket Management::0",Yes "Enterprise ATT&CK","Lateral Movement","Remote Services","Windows Remote Management","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Web Services",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Web Services","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Web Services","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Web Services","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Web Services","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Acquire Infrastructure","Web Services","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Proc Filesystem",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Proc Filesystem","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Proc Filesystem","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Proc Filesystem","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Proc Filesystem","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","Proc Filesystem","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","/etc/passwd and /etc/shadow",Any,0,0,1,1,35,33,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","/etc/passwd and /etc/shadow","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","/etc/passwd and /etc/shadow","Enterprise Security Content Update",0,0,1,1,35,33,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","/etc/passwd and /etc/shadow","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","/etc/passwd and /etc/shadow","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","OS Credential Dumping","/etc/passwd and /etc/shadow","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Removable Media","-",Any,0,0,1,0,30,1,0,"Endpoint Detection and Response::1",No "Enterprise ATT&CK",Collection,"Data from Removable Media","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Removable Media","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Removable Media","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Removable Media","-","Splunk Security Essentials",0,0,1,0,30,1,0,"Endpoint Detection and Response::1",No "Enterprise ATT&CK",Collection,"Data from Removable Media","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Fallback Channels","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Fallback Channels","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Fallback Channels","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Fallback Channels","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Fallback Channels","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Fallback Channels","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Network Sniffing","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Network Sniffing","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Network Sniffing","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Network Sniffing","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Network Sniffing","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Network Sniffing","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion",Rootkit,"-",Any,0,0,1,0,154,1,0,"Microsoft Sysmon Logs::1",No "Enterprise ATT&CK","Defense Evasion",Rootkit,"-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion",Rootkit,"-","Enterprise Security Content Update",0,0,1,0,154,1,0,"Microsoft Sysmon Logs::1",No "Enterprise ATT&CK","Defense Evasion",Rootkit,"-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion",Rootkit,"-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion",Rootkit,"-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Application Window Discovery","-",Any,0,0,2,0,118,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Discovery,"Application Window Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Application Window Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Application Window Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Application Window Discovery","-","Splunk Security Essentials",0,0,2,0,118,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Discovery,"Application Window Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Scheduled Task/Job","-",Any,0,0,7,0,49,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK",Execution,"Scheduled Task/Job","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Scheduled Task/Job","-","Enterprise Security Content Update",0,0,3,0,49,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK",Execution,"Scheduled Task/Job","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Scheduled Task/Job","-","Splunk Security Essentials",0,0,4,0,49,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK",Execution,"Scheduled Task/Job","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","-",Any,0,0,2,0,56,3,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","-","Enterprise Security Content Update",0,0,2,0,56,3,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Encrypted for Impact","-",Any,0,0,8,0,51,8,0,"AWS::2,Endpoint Detection and Response::4,Microsoft Sysmon Logs::2",No "Enterprise ATT&CK",Impact,"Data Encrypted for Impact","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Encrypted for Impact","-","Enterprise Security Content Update",0,0,7,0,51,8,0,"AWS::2,Endpoint Detection and Response::4,Microsoft Sysmon Logs::2",No "Enterprise ATT&CK",Impact,"Data Encrypted for Impact","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Encrypted for Impact","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Encrypted for Impact","-","Splunk User Behavior Analytics",0,0,1,0,51,8,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK","Initial Access","External Remote Services","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","External Remote Services","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","External Remote Services","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","External Remote Services","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","External Remote Services","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","External Remote Services","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Software Deployment Tools","-",Any,0,0,1,0,19,1,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Lateral Movement","Software Deployment Tools","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Software Deployment Tools","-","Enterprise Security Content Update",0,0,1,0,19,1,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Lateral Movement","Software Deployment Tools","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Software Deployment Tools","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Software Deployment Tools","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","-",Any,0,0,7,0,100,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","-","Enterprise Security Content Update",0,0,3,0,100,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","-","Splunk Security Essentials",0,0,4,0,100,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","-",Any,0,0,7,0,102,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","-","Enterprise Security Content Update",0,0,3,0,102,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","-","Splunk Security Essentials",0,0,4,0,102,33,0,"Endpoint Detection and Response::9,Windows Security::12",No "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Linux)",Any,0,0,2,2,49,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Linux)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Linux)","Enterprise Security Content Update",0,0,2,2,49,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Linux)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Linux)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Linux)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","Traffic Duplication",Any,0,0,1,1,56,3,0,"Cisco IOS::0",Yes "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","Traffic Duplication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","Traffic Duplication","Enterprise Security Content Update",0,0,1,1,56,3,0,"Cisco IOS::0",Yes "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","Traffic Duplication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","Traffic Duplication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Automated Exfiltration","Traffic Duplication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Linux)",Any,0,0,2,2,100,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Linux)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Linux)","Enterprise Security Content Update",0,0,2,2,100,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Linux)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Linux)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Linux)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Linux)",Any,0,0,2,2,102,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Linux)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Linux)","Enterprise Security Content Update",0,0,2,2,102,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Linux)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Linux)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Linux)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Domain Properties",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Domain Properties","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Domain Properties","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Domain Properties","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Domain Properties","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Domain Properties","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Domains,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Domains,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Domains,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Domains,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Domains,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Domains,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Windows)",Any,0,0,1,1,49,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Windows)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Windows)","Enterprise Security Content Update",0,0,1,1,49,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Windows)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Windows)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","At (Windows)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Windows)",Any,0,0,1,1,100,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Windows)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Windows)","Enterprise Security Content Update",0,0,1,1,100,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Windows)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Windows)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","At (Windows)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Windows)",Any,0,0,1,1,102,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Windows)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Windows)","Enterprise Security Content Update",0,0,1,1,102,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Windows)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Windows)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","At (Windows)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information",DNS,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information",DNS,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information",DNS,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information",DNS,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information",DNS,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information",DNS,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","DNS Server",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","DNS Server","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","DNS Server","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","DNS Server","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","DNS Server","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","DNS Server","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Cron,Any,0,0,5,5,49,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Cron,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Cron,"Enterprise Security Content Update",0,0,5,5,49,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Cron,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Cron,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Cron,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Cron,Any,0,0,5,5,100,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Cron,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Cron,"Enterprise Security Content Update",0,0,5,5,100,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Cron,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Cron,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Cron,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Cron,Any,0,0,5,5,102,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Cron,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Cron,"Enterprise Security Content Update",0,0,5,5,102,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Cron,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Cron,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Cron,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Trust Dependencies",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Trust Dependencies","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Trust Dependencies","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Trust Dependencies","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Trust Dependencies","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Trust Dependencies","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Virtual Private Server",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Virtual Private Server","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Virtual Private Server","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Virtual Private Server","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Virtual Private Server","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Virtual Private Server","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Launchd,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Launchd,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Launchd,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Launchd,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Launchd,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job",Launchd,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Launchd,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Launchd,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Launchd,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Launchd,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Launchd,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job",Launchd,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Launchd,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Launchd,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Launchd,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Launchd,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Launchd,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job",Launchd,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Topology",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Topology","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Topology","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Topology","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Topology","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Topology","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Server,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Server,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Server,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Server,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Server,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Server,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Scheduled Task",Any,0,0,15,15,49,33,0,"Endpoint Detection and Response::9,Microsoft Windows Task Scheduler::0,Windows Security::12",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Scheduled Task","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Scheduled Task","Enterprise Security Content Update",0,0,15,15,49,33,0,"Endpoint Detection and Response::9,Microsoft Windows Task Scheduler::0,Windows Security::12",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Scheduled Task","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Scheduled Task","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Scheduled Task","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Scheduled Task",Any,0,0,15,15,100,33,0,"Endpoint Detection and Response::9,Microsoft Windows Task Scheduler::0,Windows Security::12",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Scheduled Task","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Scheduled Task","Enterprise Security Content Update",0,0,15,15,100,33,0,"Endpoint Detection and Response::9,Microsoft Windows Task Scheduler::0,Windows Security::12",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Scheduled Task","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Scheduled Task","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Scheduled Task","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Scheduled Task",Any,0,0,15,15,102,33,0,"Endpoint Detection and Response::9,Microsoft Windows Task Scheduler::0,Windows Security::12",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Scheduled Task","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Scheduled Task","Enterprise Security Content Update",0,0,15,15,102,33,0,"Endpoint Detection and Response::9,Microsoft Windows Task Scheduler::0,Windows Security::12",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Scheduled Task","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Scheduled Task","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Scheduled Task","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","IP Addresses",Any,0,0,1,1,5,1,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","IP Addresses","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","IP Addresses","Enterprise Security Content Update",0,0,1,1,5,1,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","IP Addresses","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","IP Addresses","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","IP Addresses","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Botnet,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Botnet,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Botnet,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Botnet,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Botnet,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure",Botnet,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Systemd Timers",Any,0,0,3,3,49,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Systemd Timers","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Systemd Timers","Enterprise Security Content Update",0,0,3,3,49,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Systemd Timers","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Systemd Timers","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Systemd Timers","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Systemd Timers",Any,0,0,3,3,100,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Systemd Timers","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Systemd Timers","Enterprise Security Content Update",0,0,3,3,100,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Systemd Timers","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Systemd Timers","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Systemd Timers","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Systemd Timers",Any,0,0,3,3,102,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Systemd Timers","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Systemd Timers","Enterprise Security Content Update",0,0,3,3,102,33,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Systemd Timers","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Systemd Timers","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Systemd Timers","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Security Appliances",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Security Appliances","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Security Appliances","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Security Appliances","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Security Appliances","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Network Information","Network Security Appliances","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Web Services",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Web Services","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Web Services","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Web Services","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Web Services","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Infrastructure","Web Services","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Container Orchestration Job",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Container Orchestration Job","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Container Orchestration Job","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Container Orchestration Job","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Container Orchestration Job","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Scheduled Task/Job","Container Orchestration Job","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Container Orchestration Job",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Container Orchestration Job","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Container Orchestration Job","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Container Orchestration Job","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Container Orchestration Job","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Scheduled Task/Job","Container Orchestration Job","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Container Orchestration Job",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Container Orchestration Job","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Container Orchestration Job","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Container Orchestration Job","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Container Orchestration Job","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Scheduled Task/Job","Container Orchestration Job","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Network Shared Drive","-",Any,0,0,3,0,30,3,0,"Cerner::1,Network Communication::2",No "Enterprise ATT&CK",Collection,"Data from Network Shared Drive","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Network Shared Drive","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Network Shared Drive","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Network Shared Drive","-","Splunk Security Essentials",0,0,1,0,30,3,0,"Cerner::1",No "Enterprise ATT&CK",Collection,"Data from Network Shared Drive","-","Splunk User Behavior Analytics",0,0,2,0,30,3,0,"Network Communication::2",No "Enterprise ATT&CK","Command and Control","Application Layer Protocol","-",Any,0,0,16,0,48,22,0,"DNS::3,Network Communication::8,Web Proxy::5",No "Enterprise ATT&CK","Command and Control","Application Layer Protocol","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Application Layer Protocol","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Application Layer Protocol","-","Splunk App for Enterprise Security",0,0,2,0,48,22,0,"DNS::3,Network Communication::8",No "Enterprise ATT&CK","Command and Control","Application Layer Protocol","-","Splunk Security Essentials",0,0,6,0,48,22,0,"DNS::3,Network Communication::8,Web Proxy::5",No "Enterprise ATT&CK","Command and Control","Application Layer Protocol","-","Splunk User Behavior Analytics",0,0,8,0,48,22,0,"DNS::3,Network Communication::8,Web Proxy::5",No "Enterprise ATT&CK","Credential Access","Input Capture","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Input Capture","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Input Capture","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Input Capture","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Input Capture","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Input Capture","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","-",Any,0,0,4,0,154,7,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::1,Windows Security::1",No "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","-","Enterprise Security Content Update",0,0,3,0,154,7,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::1,Windows Security::1",No "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","-","Splunk Security Essentials",0,0,1,0,154,7,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Query Registry","-",Any,0,0,2,0,118,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Discovery,"Query Registry","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Query Registry","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Query Registry","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Query Registry","-","Splunk Security Essentials",0,0,2,0,118,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Discovery,"Query Registry","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","-",Any,0,0,11,0,49,49,0,"Endpoint Detection and Response::9,Network Communication::1,Risk Modifiers::1",No "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","-","Enterprise Security Content Update",0,0,6,0,49,49,0,"Endpoint Detection and Response::9,Network Communication::1,Risk Modifiers::1",No "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","-","Splunk Security Essentials",0,0,5,0,49,49,0,"Endpoint Detection and Response::9",No "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Scheduled Transfer","-",Any,0,0,2,0,56,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Exfiltration,"Scheduled Transfer","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Scheduled Transfer","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Scheduled Transfer","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Scheduled Transfer","-","Splunk Security Essentials",0,0,2,0,56,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Exfiltration,"Scheduled Transfer","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Service Stop","-",Any,0,0,3,0,51,3,0,"Endpoint Detection and Response::3",No "Enterprise ATT&CK",Impact,"Service Stop","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Service Stop","-","Enterprise Security Content Update",0,0,3,0,51,3,0,"Endpoint Detection and Response::3",No "Enterprise ATT&CK",Impact,"Service Stop","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Service Stop","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Service Stop","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Drive-by Compromise","-",Any,0,0,9,0,112,9,0,"::1,Anti-Virus or Anti-Malware::6,DNS::1,Web Proxy::1",No "Enterprise ATT&CK","Initial Access","Drive-by Compromise","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Drive-by Compromise","-","Enterprise Security Content Update",0,0,2,0,112,9,0,"::1,DNS::1",No "Enterprise ATT&CK","Initial Access","Drive-by Compromise","-","Splunk App for Enterprise Security",0,0,2,0,112,9,0,"Anti-Virus or Anti-Malware::6",No "Enterprise ATT&CK","Initial Access","Drive-by Compromise","-","Splunk Security Essentials",0,0,4,0,112,9,0,"Anti-Virus or Anti-Malware::6",No "Enterprise ATT&CK","Initial Access","Drive-by Compromise","-","Splunk User Behavior Analytics",0,0,1,0,112,9,0,"Web Proxy::1",No "Enterprise ATT&CK","Lateral Movement","Taint Shared Content","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Taint Shared Content","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Taint Shared Content","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Taint Shared Content","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Taint Shared Content","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Taint Shared Content","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Valid Accounts","-",Any,0,0,63,0,100,101,0,"::4,AWS::28,Anti-Virus or Anti-Malware::4,Authentication::24,Box::4,Change Events Data::20,GCP::20,Network Communication::4,SFDC::8,Ticket Management::8,User Activity Audit::4,Web Server::4,Windows Security::120",No "Enterprise ATT&CK",Persistence,"Valid Accounts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Valid Accounts","-","Enterprise Security Content Update",0,0,19,0,100,101,0,"::4,AWS::28,Change Events Data::20,GCP::20,Web Server::4,Windows Security::120",No "Enterprise ATT&CK",Persistence,"Valid Accounts","-","Splunk App for Enterprise Security",0,0,8,0,100,101,0,"Anti-Virus or Anti-Malware::4,Authentication::24,User Activity Audit::4,Windows Security::120",No "Enterprise ATT&CK",Persistence,"Valid Accounts","-","Splunk Security Essentials",0,0,22,0,100,101,0,"AWS::28,GCP::20,SFDC::8,Ticket Management::8,Windows Security::120",No "Enterprise ATT&CK",Persistence,"Valid Accounts","-","Splunk User Behavior Analytics",0,0,14,0,100,101,0,"Authentication::24,Box::4,Network Communication::4,Windows Security::120",No "Enterprise ATT&CK","Privilege Escalation","Process Injection","-",Any,0,0,17,0,102,19,0,"Endpoint Detection and Response::14,Microsoft Sysmon Logs::12,Network Communication::6,Windows Security::2",No "Enterprise ATT&CK","Privilege Escalation","Process Injection","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Process Injection","-","Enterprise Security Content Update",0,0,17,0,102,19,0,"Endpoint Detection and Response::14,Microsoft Sysmon Logs::12,Network Communication::6,Windows Security::2",No "Enterprise ATT&CK","Privilege Escalation","Process Injection","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Process Injection","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Process Injection","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Establish Accounts","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Establish Accounts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Establish Accounts","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Establish Accounts","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Establish Accounts","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Establish Accounts","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Web Protocols",Any,0,0,2,2,48,22,0,"Network Communication::8,Web Server::0",Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Web Protocols","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Web Protocols","Enterprise Security Content Update",0,0,2,2,48,22,0,"Network Communication::8,Web Server::0",Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Web Protocols","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Web Protocols","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Web Protocols","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture",Keylogging,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture",Keylogging,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture",Keylogging,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture",Keylogging,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture",Keylogging,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture",Keylogging,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Binary Padding",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Binary Padding","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Binary Padding","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Binary Padding","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Binary Padding","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Binary Padding","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",PowerShell,Any,0,0,19,19,49,49,0,"Endpoint Detection and Response::9,Windows Security::0",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",PowerShell,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",PowerShell,"Enterprise Security Content Update",0,0,18,19,49,49,0,"Endpoint Detection and Response::9,Windows Security::0",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",PowerShell,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",PowerShell,"Splunk Security Essentials",0,0,1,19,49,49,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",PowerShell,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Default Accounts",Any,0,0,4,4,100,101,0,"Okta::0",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Default Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Default Accounts","Enterprise Security Content Update",0,0,4,4,100,101,0,"Okta::0",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Default Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Default Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Default Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Dynamic-link Library Injection",Any,0,0,2,2,102,19,0,"Endpoint Detection and Response::14,Microsoft Sysmon Logs::12",Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Dynamic-link Library Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Dynamic-link Library Injection","Enterprise Security Content Update",0,0,2,2,102,19,0,"Endpoint Detection and Response::14,Microsoft Sysmon Logs::12",Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Dynamic-link Library Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Dynamic-link Library Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Dynamic-link Library Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Determine Physical Locations",Any,0,0,4,4,5,4,0,"Physical Security::0",Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Determine Physical Locations","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Determine Physical Locations","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Determine Physical Locations","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Determine Physical Locations","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Determine Physical Locations","Splunk User Behavior Analytics",0,0,4,4,5,4,0,"Physical Security::0",Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Social Media Accounts",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Social Media Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Social Media Accounts","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Social Media Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Social Media Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Social Media Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","File Transfer Protocols",Any,0,0,1,1,48,22,0,"Network Communication::8",Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","File Transfer Protocols","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","File Transfer Protocols","Enterprise Security Content Update",0,0,1,1,48,22,0,"Network Communication::8",Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","File Transfer Protocols","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","File Transfer Protocols","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","File Transfer Protocols","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","GUI Input Capture",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","GUI Input Capture","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","GUI Input Capture","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","GUI Input Capture","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","GUI Input Capture","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","GUI Input Capture","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Software Packing",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Software Packing","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Software Packing","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Software Packing","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Software Packing","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Software Packing","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",AppleScript,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",AppleScript,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",AppleScript,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",AppleScript,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",AppleScript,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",AppleScript,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Domain Accounts",Any,0,1,4,5,100,101,0,"Change Events Data::20,HR System::0,Windows Security::120",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Domain Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Domain Accounts","Enterprise Security Content Update",0,1,4,5,100,101,0,"Change Events Data::20,HR System::0,Windows Security::120",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Domain Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Domain Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Domain Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Portable Executable Injection",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Portable Executable Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Portable Executable Injection","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Portable Executable Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Portable Executable Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Portable Executable Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Business Relationships",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Business Relationships","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Business Relationships","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Business Relationships","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Business Relationships","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Business Relationships","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Email Accounts",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Email Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Email Accounts","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Email Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Email Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Establish Accounts","Email Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Mail Protocols",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Mail Protocols","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Mail Protocols","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Mail Protocols","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Mail Protocols","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol","Mail Protocols","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Web Portal Capture",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Web Portal Capture","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Web Portal Capture","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Web Portal Capture","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Web Portal Capture","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Web Portal Capture","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information",Steganography,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information",Steganography,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information",Steganography,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information",Steganography,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information",Steganography,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information",Steganography,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Windows Command Shell",Any,0,0,9,9,49,49,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Windows Command Shell","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Windows Command Shell","Enterprise Security Content Update",0,0,8,9,49,49,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Windows Command Shell","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Windows Command Shell","Splunk Security Essentials",0,0,1,9,49,49,0,"Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Windows Command Shell","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Local Accounts",Any,0,0,3,3,100,101,0,"Change Events Data::20,Windows Security::120",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Local Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Local Accounts","Enterprise Security Content Update",0,0,1,3,100,101,0,"Change Events Data::20",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Local Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Local Accounts","Splunk Security Essentials",0,0,2,3,100,101,0,"Windows Security::120",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Local Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Execution Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Execution Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Execution Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Execution Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Execution Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Execution Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Business Tempo",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Business Tempo","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Business Tempo","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Business Tempo","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Business Tempo","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Business Tempo","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol",DNS,Any,0,0,3,3,48,22,0,"DNS::3",Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol",DNS,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol",DNS,"Enterprise Security Content Update",0,0,3,3,48,22,0,"DNS::3",Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol",DNS,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol",DNS,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Application Layer Protocol",DNS,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Credential API Hooking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Credential API Hooking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Credential API Hooking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Credential API Hooking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Credential API Hooking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Input Capture","Credential API Hooking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Compile After Delivery",Any,0,0,1,1,154,7,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Compile After Delivery","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Compile After Delivery","Enterprise Security Content Update",0,0,1,1,154,7,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Compile After Delivery","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Compile After Delivery","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Compile After Delivery","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Unix Shell",Any,0,0,2,2,49,49,0,"::0,Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Unix Shell","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Unix Shell","Enterprise Security Content Update",0,0,2,2,49,49,0,"::0,Endpoint Detection and Response::9",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Unix Shell","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Unix Shell","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Unix Shell","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Cloud Accounts",Any,0,0,26,26,100,101,0,"AWS::28,Azure::0,Change Events Data::20",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Cloud Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Cloud Accounts","Enterprise Security Content Update",0,0,19,26,100,101,0,"AWS::28,Change Events Data::20",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Cloud Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Cloud Accounts","Splunk Security Essentials",0,0,7,26,100,101,0,"Azure::0",Yes "Enterprise ATT&CK",Persistence,"Valid Accounts","Cloud Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Asynchronous Procedure Call",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Asynchronous Procedure Call","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Asynchronous Procedure Call","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Asynchronous Procedure Call","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Asynchronous Procedure Call","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Asynchronous Procedure Call","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Roles",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Roles","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Roles","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Roles","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Roles","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Org Information","Identify Roles","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Indicator Removal from Tools",Any,0,0,2,2,154,7,0,"Windows Security::1",Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Indicator Removal from Tools","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Indicator Removal from Tools","Enterprise Security Content Update",0,0,2,2,154,7,0,"Windows Security::1",Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Indicator Removal from Tools","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Indicator Removal from Tools","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","Indicator Removal from Tools","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Visual Basic",Any,0,0,4,4,49,49,0,"Endpoint Detection and Response::9,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Visual Basic","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Visual Basic","Enterprise Security Content Update",0,0,4,4,49,49,0,"Endpoint Detection and Response::9,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Visual Basic","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Visual Basic","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Visual Basic","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Local Storage",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Local Storage","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Local Storage","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Local Storage","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Local Storage","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Thread Local Storage","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","HTML Smuggling",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","HTML Smuggling","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","HTML Smuggling","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","HTML Smuggling","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","HTML Smuggling","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Obfuscated Files or Information","HTML Smuggling","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",Python,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",Python,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",Python,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",Python,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",Python,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",Python,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Ptrace System Calls",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Ptrace System Calls","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Ptrace System Calls","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Ptrace System Calls","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Ptrace System Calls","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Ptrace System Calls","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",JavaScript,Any,0,0,4,4,49,49,0,"Endpoint Detection and Response::9,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",JavaScript,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",JavaScript,"Enterprise Security Content Update",0,0,4,4,49,49,0,"Endpoint Detection and Response::9,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",JavaScript,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",JavaScript,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter",JavaScript,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Proc Memory",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Proc Memory","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Proc Memory","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Proc Memory","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Proc Memory","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Proc Memory","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Network Device CLI",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Network Device CLI","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Network Device CLI","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Network Device CLI","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Network Device CLI","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Command and Scripting Interpreter","Network Device CLI","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Extra Window Memory Injection",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Extra Window Memory Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Extra Window Memory Injection","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Extra Window Memory Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Extra Window Memory Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Extra Window Memory Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Hollowing",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Hollowing","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Hollowing","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Hollowing","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Hollowing","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Hollowing","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Doppelganging",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Doppelganging","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Doppelganging","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Doppelganging","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Doppelganging","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","Process Doppelganging","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","VDSO Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","VDSO Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","VDSO Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","VDSO Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","VDSO Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Process Injection","VDSO Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Input Capture","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Input Capture","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Input Capture","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Input Capture","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Input Capture","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control",Proxy,"-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control",Proxy,"-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control",Proxy,"-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control",Proxy,"-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control",Proxy,"-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control",Proxy,"-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Brute Force","-",Any,0,0,18,0,35,27,0,"AWS::1,Authentication::4,Azure::1,Web Proxy::1,Web Server::1,Windows Security::10",No "Enterprise ATT&CK","Credential Access","Brute Force","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Brute Force","-","Enterprise Security Content Update",0,0,2,0,35,27,0,"AWS::1,Azure::1",No "Enterprise ATT&CK","Credential Access","Brute Force","-","Splunk App for Enterprise Security",0,0,6,0,35,27,0,"Authentication::4,Web Proxy::1,Web Server::1",No "Enterprise ATT&CK","Credential Access","Brute Force","-","Splunk Security Essentials",0,0,5,0,35,27,0,"Windows Security::10",No "Enterprise ATT&CK","Credential Access","Brute Force","-","Splunk User Behavior Analytics",0,0,5,0,35,27,0,"Windows Security::10",No "Enterprise ATT&CK","Defense Evasion",Masquerading,"-",Any,0,0,9,0,154,21,0,"Endpoint Detection and Response::8,Microsoft Sysmon Logs::1",No "Enterprise ATT&CK","Defense Evasion",Masquerading,"-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion",Masquerading,"-","Enterprise Security Content Update",0,0,3,0,154,21,0,"Endpoint Detection and Response::8,Microsoft Sysmon Logs::1",No "Enterprise ATT&CK","Defense Evasion",Masquerading,"-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion",Masquerading,"-","Splunk Security Essentials",0,0,6,0,154,21,0,"Endpoint Detection and Response::8",No "Enterprise ATT&CK","Defense Evasion",Masquerading,"-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","-",Any,0,0,6,0,118,7,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","-","Enterprise Security Content Update",0,0,2,0,118,7,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","-","Splunk Security Essentials",0,0,4,0,118,7,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Software Deployment Tools","-",Any,0,0,1,0,49,1,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Execution,"Software Deployment Tools","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Software Deployment Tools","-","Enterprise Security Content Update",0,0,1,0,49,1,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK",Execution,"Software Deployment Tools","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Software Deployment Tools","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Software Deployment Tools","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Data Transfer Size Limits","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Data Transfer Size Limits","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Data Transfer Size Limits","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Data Transfer Size Limits","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Data Transfer Size Limits","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Data Transfer Size Limits","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Inhibit System Recovery","-",Any,0,0,10,0,51,10,0,"Endpoint Detection and Response::8,Microsoft System EventLog::1,Windows Security::1",No "Enterprise ATT&CK",Impact,"Inhibit System Recovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Inhibit System Recovery","-","Enterprise Security Content Update",0,0,10,0,51,10,0,"Endpoint Detection and Response::8,Microsoft System EventLog::1,Windows Security::1",No "Enterprise ATT&CK",Impact,"Inhibit System Recovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Inhibit System Recovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Inhibit System Recovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Exploit Public-Facing Application","-",Any,0,0,25,0,112,25,0,"Endpoint Detection and Response::8,F5 Big-Ip::1,Microsoft IIS Logs::1,Network Communication::2,Risk Modifiers::1,Web Proxy::3,Web Server::8,Zeek::1",No "Enterprise ATT&CK","Initial Access","Exploit Public-Facing Application","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Exploit Public-Facing Application","-","Enterprise Security Content Update",0,0,22,0,112,25,0,"Endpoint Detection and Response::8,F5 Big-Ip::1,Microsoft IIS Logs::1,Network Communication::2,Risk Modifiers::1,Web Proxy::3,Web Server::8,Zeek::1",No "Enterprise ATT&CK","Initial Access","Exploit Public-Facing Application","-","Splunk App for Enterprise Security",0,0,2,0,112,25,0,"Web Proxy::3,Web Server::8",No "Enterprise ATT&CK","Initial Access","Exploit Public-Facing Application","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Exploit Public-Facing Application","-","Splunk User Behavior Analytics",0,0,1,0,112,25,0,"Web Server::8",No "Enterprise ATT&CK","Lateral Movement","Replication Through Removable Media","-",Any,0,0,3,0,19,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Lateral Movement","Replication Through Removable Media","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Replication Through Removable Media","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Replication Through Removable Media","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Replication Through Removable Media","-","Splunk Security Essentials",0,0,1,0,19,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Lateral Movement","Replication Through Removable Media","-","Splunk User Behavior Analytics",0,0,2,0,19,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK",Persistence,"Account Manipulation","-",Any,0,0,11,0,100,13,0,"AWS::3,Endpoint Detection and Response::2,GCP::1,Windows Security::5",No "Enterprise ATT&CK",Persistence,"Account Manipulation","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Account Manipulation","-","Enterprise Security Content Update",0,0,3,0,100,13,0,"AWS::3",No "Enterprise ATT&CK",Persistence,"Account Manipulation","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Account Manipulation","-","Splunk Security Essentials",0,0,8,0,100,13,0,"Endpoint Detection and Response::2,GCP::1,Windows Security::5",No "Enterprise ATT&CK",Persistence,"Account Manipulation","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Exploitation for Privilege Escalation","-",Any,0,0,9,0,102,9,0,"::2,Anti-Virus or Anti-Malware::1,Endpoint Detection and Response::4,Microsoft Sysmon Logs::1,OSQuery::1",No "Enterprise ATT&CK","Privilege Escalation","Exploitation for Privilege Escalation","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Exploitation for Privilege Escalation","-","Enterprise Security Content Update",0,0,7,0,102,9,0,"::2,Endpoint Detection and Response::4,Microsoft Sysmon Logs::1,OSQuery::1",No "Enterprise ATT&CK","Privilege Escalation","Exploitation for Privilege Escalation","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Exploitation for Privilege Escalation","-","Splunk Security Essentials",0,0,2,0,102,9,0,"Anti-Virus or Anti-Malware::1,Endpoint Detection and Response::4",No "Enterprise ATT&CK","Privilege Escalation","Exploitation for Privilege Escalation","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","-",Any,0,0,4,0,5,4,0,"Endpoint Detection and Response::1,Windows Security::3",No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","-","Enterprise Security Content Update",0,0,4,0,5,4,0,"Endpoint Detection and Response::1,Windows Security::3",No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Accounts","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Accounts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Accounts","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Accounts","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Accounts","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Compromise Accounts","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Input Capture",Keylogging,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture",Keylogging,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture",Keylogging,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture",Keylogging,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture",Keylogging,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture",Keylogging,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Internal Proxy",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Internal Proxy","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Internal Proxy","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Internal Proxy","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Internal Proxy","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Internal Proxy","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Guessing",Any,0,0,1,1,35,27,0,"Azure::1",Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Guessing","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Guessing","Enterprise Security Content Update",0,0,1,1,35,27,0,"Azure::1",Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Guessing","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Guessing","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Guessing","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Invalid Code Signature",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Invalid Code Signature","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Invalid Code Signature","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Invalid Code Signature","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Invalid Code Signature","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Invalid Code Signature","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","Internet Connection Discovery",Any,0,0,1,1,118,7,0,"Endpoint Detection and Response::6",Yes "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","Internet Connection Discovery","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","Internet Connection Discovery","Enterprise Security Content Update",0,0,1,1,118,7,0,"Endpoint Detection and Response::6",Yes "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","Internet Connection Discovery","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","Internet Connection Discovery","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Network Configuration Discovery","Internet Connection Discovery","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Additional Cloud Credentials",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Additional Cloud Credentials","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Additional Cloud Credentials","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Additional Cloud Credentials","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Additional Cloud Credentials","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Additional Cloud Credentials","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Hardware,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Hardware,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Hardware,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Hardware,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Hardware,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Hardware,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Social Media Accounts",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Social Media Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Social Media Accounts","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Social Media Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Social Media Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Social Media Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","GUI Input Capture",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","GUI Input Capture","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","GUI Input Capture","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","GUI Input Capture","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","GUI Input Capture","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","GUI Input Capture","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"External Proxy",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"External Proxy","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"External Proxy","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"External Proxy","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"External Proxy","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"External Proxy","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Cracking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Cracking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Cracking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Cracking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Cracking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Cracking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Right-to-Left Override",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Right-to-Left Override","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Right-to-Left Override","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Right-to-Left Override","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Right-to-Left Override","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Right-to-Left Override","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Exchange Email Delegate Permissions",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Exchange Email Delegate Permissions","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Exchange Email Delegate Permissions","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Exchange Email Delegate Permissions","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Exchange Email Delegate Permissions","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Exchange Email Delegate Permissions","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Software,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Software,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Software,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Software,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Software,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Software,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Email Accounts",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Email Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Email Accounts","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Email Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Email Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Compromise Accounts","Email Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Web Portal Capture",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Web Portal Capture","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Web Portal Capture","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Web Portal Capture","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Web Portal Capture","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Web Portal Capture","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Multi-hop Proxy",Any,0,0,1,1,48,1,0,"Network Communication::0",Yes "Enterprise ATT&CK","Command and Control",Proxy,"Multi-hop Proxy","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Multi-hop Proxy","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Multi-hop Proxy","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Multi-hop Proxy","Splunk Security Essentials",0,0,1,1,48,1,0,"Network Communication::0",Yes "Enterprise ATT&CK","Command and Control",Proxy,"Multi-hop Proxy","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Spraying",Any,0,0,8,8,35,27,0,"Windows Security::10",Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Spraying","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Spraying","Enterprise Security Content Update",0,0,8,8,35,27,0,"Windows Security::10",Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Spraying","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Spraying","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Password Spraying","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Rename System Utilities",Any,0,0,10,10,154,21,0,"Endpoint Detection and Response::8",Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Rename System Utilities","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Rename System Utilities","Enterprise Security Content Update",0,0,10,10,154,21,0,"Endpoint Detection and Response::8",Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Rename System Utilities","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Rename System Utilities","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Rename System Utilities","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Add Office 365 Global Administrator Role",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Add Office 365 Global Administrator Role","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Add Office 365 Global Administrator Role","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Add Office 365 Global Administrator Role","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Add Office 365 Global Administrator Role","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","Add Office 365 Global Administrator Role","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Firmware,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Firmware,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Firmware,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Firmware,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Firmware,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information",Firmware,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Credential API Hooking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Credential API Hooking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Credential API Hooking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Credential API Hooking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Credential API Hooking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Input Capture","Credential API Hooking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Domain Fronting",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Domain Fronting","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Domain Fronting","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Domain Fronting","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Domain Fronting","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control",Proxy,"Domain Fronting","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Credential Stuffing",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Credential Stuffing","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Credential Stuffing","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Credential Stuffing","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Credential Stuffing","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Brute Force","Credential Stuffing","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Masquerade Task or Service",Any,0,0,1,1,154,21,0,"Endpoint Detection and Response::8",Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Masquerade Task or Service","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Masquerade Task or Service","Enterprise Security Content Update",0,0,1,1,154,21,0,"Endpoint Detection and Response::8",Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Masquerade Task or Service","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Masquerade Task or Service","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Masquerade Task or Service","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","SSH Authorized Keys",Any,0,0,2,2,100,13,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","SSH Authorized Keys","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","SSH Authorized Keys","Enterprise Security Content Update",0,0,2,2,100,13,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","SSH Authorized Keys","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","SSH Authorized Keys","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Account Manipulation","SSH Authorized Keys","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","Client Configurations",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","Client Configurations","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","Client Configurations","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","Client Configurations","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","Client Configurations","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Gather Victim Host Information","Client Configurations","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Match Legitimate Name or Location",Any,0,0,1,1,154,21,0,"Endpoint Detection and Response::8",Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Match Legitimate Name or Location","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Match Legitimate Name or Location","Enterprise Security Content Update",0,0,1,1,154,21,0,"Endpoint Detection and Response::8",Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Match Legitimate Name or Location","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Match Legitimate Name or Location","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Match Legitimate Name or Location","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Space after Filename",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Space after Filename","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Space after Filename","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Space after Filename","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Space after Filename","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Space after Filename","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Double File Extension",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Double File Extension","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Double File Extension","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Double File Extension","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Double File Extension","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion",Masquerading,"Double File Extension","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","-",Any,0,0,1,0,30,2,0,"Endpoint Detection and Response::1",No "Enterprise ATT&CK",Collection,"Data Staged","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data Staged","-","Enterprise Security Content Update",0,0,1,0,30,2,0,"Endpoint Detection and Response::1",No "Enterprise ATT&CK",Collection,"Data Staged","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data Staged","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data Staged","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Communication Through Removable Media","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Communication Through Removable Media","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Communication Through Removable Media","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Communication Through Removable Media","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Communication Through Removable Media","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Communication Through Removable Media","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Two-Factor Authentication Interception","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Two-Factor Authentication Interception","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Two-Factor Authentication Interception","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Two-Factor Authentication Interception","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Two-Factor Authentication Interception","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Two-Factor Authentication Interception","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Process Injection","-",Any,0,0,17,0,154,19,0,"Endpoint Detection and Response::14,Microsoft Sysmon Logs::12,Network Communication::6,Windows Security::2",No "Enterprise ATT&CK","Defense Evasion","Process Injection","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Process Injection","-","Enterprise Security Content Update",0,0,17,0,154,19,0,"Endpoint Detection and Response::14,Microsoft Sysmon Logs::12,Network Communication::6,Windows Security::2",No "Enterprise ATT&CK","Defense Evasion","Process Injection","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Process Injection","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Process Injection","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Remote System Discovery","-",Any,0,0,24,0,118,24,0,"Endpoint Detection and Response::11,IDS or IPS::1,Network Communication::2,SFDC::2,Windows Security::8",No "Enterprise ATT&CK",Discovery,"Remote System Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Remote System Discovery","-","Enterprise Security Content Update",0,0,18,0,118,24,0,"Endpoint Detection and Response::11,Windows Security::8",No "Enterprise ATT&CK",Discovery,"Remote System Discovery","-","Splunk App for Enterprise Security",0,0,1,0,118,24,0,"IDS or IPS::1",No "Enterprise ATT&CK",Discovery,"Remote System Discovery","-","Splunk Security Essentials",0,0,5,0,118,24,0,"Endpoint Detection and Response::11,Network Communication::2,SFDC::2",No "Enterprise ATT&CK",Discovery,"Remote System Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Native API","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Native API","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Native API","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Native API","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Native API","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Native API","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over C2 Channel","-",Any,0,0,15,0,56,15,0,"Network Communication::10,Web Proxy::4,Zeek::1",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over C2 Channel","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over C2 Channel","-","Enterprise Security Content Update",0,0,1,0,56,15,0,"Zeek::1",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over C2 Channel","-","Splunk App for Enterprise Security",0,0,1,0,56,15,0,"Web Proxy::4",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over C2 Channel","-","Splunk Security Essentials",0,0,6,0,56,15,0,"Network Communication::10,Web Proxy::4",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over C2 Channel","-","Splunk User Behavior Analytics",0,0,7,0,56,15,0,"Network Communication::10,Web Proxy::4",No "Enterprise ATT&CK",Impact,Defacement,"-",Any,0,0,1,0,51,1,0,"Microsoft Sysmon Logs::1",No "Enterprise ATT&CK",Impact,Defacement,"-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,Defacement,"-","Enterprise Security Content Update",0,0,1,0,51,1,0,"Microsoft Sysmon Logs::1",No "Enterprise ATT&CK",Impact,Defacement,"-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,Defacement,"-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,Defacement,"-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Exploitation of Remote Services","-",Any,0,0,2,0,19,2,0,"Network Communication::1,Windows Security::1",No "Enterprise ATT&CK","Lateral Movement","Exploitation of Remote Services","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Exploitation of Remote Services","-","Enterprise Security Content Update",0,0,1,0,19,2,0,"Windows Security::1",No "Enterprise ATT&CK","Lateral Movement","Exploitation of Remote Services","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Exploitation of Remote Services","-","Splunk Security Essentials",0,0,1,0,19,2,0,"Network Communication::1",No "Enterprise ATT&CK","Lateral Movement","Exploitation of Remote Services","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"External Remote Services","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"External Remote Services","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"External Remote Services","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"External Remote Services","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"External Remote Services","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"External Remote Services","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","-",Any,0,0,63,0,102,101,0,"::4,AWS::28,Anti-Virus or Anti-Malware::4,Authentication::24,Box::4,Change Events Data::20,GCP::20,Network Communication::4,SFDC::8,Ticket Management::8,User Activity Audit::4,Web Server::4,Windows Security::120",No "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","-","Enterprise Security Content Update",0,0,19,0,102,101,0,"::4,AWS::28,Change Events Data::20,GCP::20,Web Server::4,Windows Security::120",No "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","-","Splunk App for Enterprise Security",0,0,8,0,102,101,0,"Anti-Virus or Anti-Malware::4,Authentication::24,User Activity Audit::4,Windows Security::120",No "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","-","Splunk Security Essentials",0,0,22,0,102,101,0,"AWS::28,GCP::20,SFDC::8,Ticket Management::8,Windows Security::120",No "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","-","Splunk User Behavior Analytics",0,0,14,0,102,101,0,"Authentication::24,Box::4,Network Communication::4,Windows Security::120",No "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Develop Capabilities","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Develop Capabilities","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Develop Capabilities","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Develop Capabilities","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Develop Capabilities","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Develop Capabilities","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data Staged","Local Data Staging",Any,0,1,0,1,30,2,0,"App Server::0",Yes "Enterprise ATT&CK",Collection,"Data Staged","Local Data Staging","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Local Data Staging","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Local Data Staging","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Local Data Staging","Splunk Security Essentials",0,1,0,1,30,2,0,"App Server::0",Yes "Enterprise ATT&CK",Collection,"Data Staged","Local Data Staging","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Dynamic-link Library Injection",Any,0,0,2,2,154,19,0,"Endpoint Detection and Response::14,Microsoft Sysmon Logs::12",Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Dynamic-link Library Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Dynamic-link Library Injection","Enterprise Security Content Update",0,0,2,2,154,19,0,"Endpoint Detection and Response::14,Microsoft Sysmon Logs::12",Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Dynamic-link Library Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Dynamic-link Library Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Dynamic-link Library Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"Internal Defacement",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"Internal Defacement","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"Internal Defacement","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"Internal Defacement","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"Internal Defacement","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"Internal Defacement","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Dependencies and Development Tools",Any,0,0,2,2,112,3,0,"Web Server::0",Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Dependencies and Development Tools","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Dependencies and Development Tools","Enterprise Security Content Update",0,0,2,2,112,3,0,"Web Server::0",Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Dependencies and Development Tools","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Dependencies and Development Tools","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Dependencies and Development Tools","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Default Accounts",Any,0,0,4,4,102,101,0,"Okta::0",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Default Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Default Accounts","Enterprise Security Content Update",0,0,4,4,102,101,0,"Okta::0",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Default Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Default Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Default Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Social Media",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Social Media","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Social Media","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Social Media","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Social Media","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Social Media","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Malware,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Malware,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Malware,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Malware,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Malware,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Malware,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Remote Data Staging",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Remote Data Staging","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Remote Data Staging","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Remote Data Staging","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Remote Data Staging","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data Staged","Remote Data Staging","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Portable Executable Injection",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Portable Executable Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Portable Executable Injection","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Portable Executable Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Portable Executable Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Portable Executable Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"External Defacement",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"External Defacement","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"External Defacement","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"External Defacement","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"External Defacement","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,Defacement,"External Defacement","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Supply Chain",Any,0,0,1,1,112,3,0,"Web Server::0",Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Supply Chain","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Supply Chain","Enterprise Security Content Update",0,0,1,1,112,3,0,"Web Server::0",Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Supply Chain","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Supply Chain","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Software Supply Chain","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Domain Accounts",Any,0,1,4,5,102,101,0,"Change Events Data::20,HR System::0,Windows Security::120",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Domain Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Domain Accounts","Enterprise Security Content Update",0,1,4,5,102,101,0,"Change Events Data::20,HR System::0,Windows Security::120",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Domain Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Domain Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Domain Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Search Engines",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Search Engines","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Search Engines","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Search Engines","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Search Engines","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Websites/Domains","Search Engines","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Code Signing Certificates",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Code Signing Certificates","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Code Signing Certificates","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Code Signing Certificates","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Code Signing Certificates","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Code Signing Certificates","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Execution Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Execution Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Execution Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Execution Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Execution Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Execution Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Hardware Supply Chain",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Hardware Supply Chain","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Hardware Supply Chain","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Hardware Supply Chain","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Hardware Supply Chain","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access","Supply Chain Compromise","Compromise Hardware Supply Chain","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Local Accounts",Any,0,0,3,3,102,101,0,"Change Events Data::20,Windows Security::120",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Local Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Local Accounts","Enterprise Security Content Update",0,0,1,3,102,101,0,"Change Events Data::20",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Local Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Local Accounts","Splunk Security Essentials",0,0,2,3,102,101,0,"Windows Security::120",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Local Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Digital Certificates",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Digital Certificates","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Digital Certificates","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Digital Certificates","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Digital Certificates","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities","Digital Certificates","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Asynchronous Procedure Call",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Asynchronous Procedure Call","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Asynchronous Procedure Call","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Asynchronous Procedure Call","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Asynchronous Procedure Call","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Asynchronous Procedure Call","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Cloud Accounts",Any,0,0,26,26,102,101,0,"AWS::28,Azure::0,Change Events Data::20",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Cloud Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Cloud Accounts","Enterprise Security Content Update",0,0,19,26,102,101,0,"AWS::28,Change Events Data::20",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Cloud Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Cloud Accounts","Splunk Security Essentials",0,0,7,26,102,101,0,"Azure::0",Yes "Enterprise ATT&CK","Privilege Escalation","Valid Accounts","Cloud Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Exploits,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Exploits,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Exploits,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Exploits,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Exploits,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Develop Capabilities",Exploits,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Local Storage",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Local Storage","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Local Storage","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Local Storage","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Local Storage","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Thread Local Storage","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Ptrace System Calls",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Ptrace System Calls","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Ptrace System Calls","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Ptrace System Calls","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Ptrace System Calls","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Ptrace System Calls","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Proc Memory",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Proc Memory","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Proc Memory","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Proc Memory","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Proc Memory","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Proc Memory","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Extra Window Memory Injection",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Extra Window Memory Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Extra Window Memory Injection","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Extra Window Memory Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Extra Window Memory Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Extra Window Memory Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Hollowing",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Hollowing","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Hollowing","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Hollowing","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Hollowing","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Hollowing","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Doppelganging",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Doppelganging","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Doppelganging","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Doppelganging","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Doppelganging","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","Process Doppelganging","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","VDSO Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","VDSO Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","VDSO Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","VDSO Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","VDSO Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Process Injection","VDSO Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Screen Capture","-",Any,0,0,3,0,30,3,0,"Endpoint Detection and Response::3",No "Enterprise ATT&CK",Collection,"Screen Capture","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Screen Capture","-","Enterprise Security Content Update",0,0,3,0,30,3,0,"Endpoint Detection and Response::3",No "Enterprise ATT&CK",Collection,"Screen Capture","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Screen Capture","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Screen Capture","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Non-Application Layer Protocol","-",Any,0,0,11,0,48,11,0,"Network Communication::9,Web Proxy::2",No "Enterprise ATT&CK","Command and Control","Non-Application Layer Protocol","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Non-Application Layer Protocol","-","Enterprise Security Content Update",0,0,1,0,48,11,0,"Network Communication::9",No "Enterprise ATT&CK","Command and Control","Non-Application Layer Protocol","-","Splunk App for Enterprise Security",0,0,1,0,48,11,0,"Network Communication::9",No "Enterprise ATT&CK","Command and Control","Non-Application Layer Protocol","-","Splunk Security Essentials",0,0,2,0,48,11,0,"Network Communication::9",No "Enterprise ATT&CK","Command and Control","Non-Application Layer Protocol","-","Splunk User Behavior Analytics",0,0,7,0,48,11,0,"Network Communication::9,Web Proxy::2",No "Enterprise ATT&CK","Credential Access","Forced Authentication","-",Any,0,0,1,0,35,1,0,"Windows Security::1",No "Enterprise ATT&CK","Credential Access","Forced Authentication","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forced Authentication","-","Enterprise Security Content Update",0,0,1,0,35,1,0,"Windows Security::1",No "Enterprise ATT&CK","Credential Access","Forced Authentication","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forced Authentication","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forced Authentication","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","-",Any,0,0,4,0,154,24,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::1,User Activity Audit::1",No "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","-","Enterprise Security Content Update",0,0,3,0,154,24,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::1",No "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","-","Splunk App for Enterprise Security",0,0,1,0,154,24,0,"User Activity Audit::1",No "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Owner/User Discovery","-",Any,0,0,12,0,118,12,0,"Endpoint Detection and Response::10,Windows Security::2",No "Enterprise ATT&CK",Discovery,"System Owner/User Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Owner/User Discovery","-","Enterprise Security Content Update",0,0,8,0,118,12,0,"Endpoint Detection and Response::10,Windows Security::2",No "Enterprise ATT&CK",Discovery,"System Owner/User Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Owner/User Discovery","-","Splunk Security Essentials",0,0,4,0,118,12,0,"Endpoint Detection and Response::10",No "Enterprise ATT&CK",Discovery,"System Owner/User Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Shared Modules","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Shared Modules","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Shared Modules","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Shared Modules","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Shared Modules","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Shared Modules","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","-",Any,0,0,21,0,56,29,0,"Email::1,Endpoint Detection and Response::1,Microsoft Sysmon Logs::1,Network Communication::12,Web Proxy::6",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","-","Enterprise Security Content Update",0,0,3,0,56,29,0,"Endpoint Detection and Response::1,Microsoft Sysmon Logs::1,Network Communication::12",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","-","Splunk App for Enterprise Security",0,0,2,0,56,29,0,"Web Proxy::6",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","-","Splunk Security Essentials",0,0,8,0,56,29,0,"Email::1,Network Communication::12,Web Proxy::6",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","-","Splunk User Behavior Analytics",0,0,8,0,56,29,0,"Network Communication::12",No "Enterprise ATT&CK",Impact,"Firmware Corruption","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Firmware Corruption","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Firmware Corruption","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Firmware Corruption","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Firmware Corruption","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Firmware Corruption","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Trusted Relationship","-",Any,0,0,2,0,112,2,0,"Web Server::2",No "Enterprise ATT&CK","Initial Access","Trusted Relationship","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Trusted Relationship","-","Enterprise Security Content Update",0,0,2,0,112,2,0,"Web Server::2",No "Enterprise ATT&CK","Initial Access","Trusted Relationship","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Trusted Relationship","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Trusted Relationship","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Internal Spearphishing","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Internal Spearphishing","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Internal Spearphishing","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Internal Spearphishing","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Internal Spearphishing","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Internal Spearphishing","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Create Account","-",Any,0,0,7,0,100,18,0,"User Activity Audit::1,Web Server::1,Windows Security::5",No "Enterprise ATT&CK",Persistence,"Create Account","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Create Account","-","Enterprise Security Content Update",0,0,1,0,100,18,0,"Web Server::1",No "Enterprise ATT&CK",Persistence,"Create Account","-","Splunk App for Enterprise Security",0,0,2,0,100,18,0,"User Activity Audit::1,Windows Security::5",No "Enterprise ATT&CK",Persistence,"Create Account","-","Splunk Security Essentials",0,0,2,0,100,18,0,"Windows Security::5",No "Enterprise ATT&CK",Persistence,"Create Account","-","Splunk User Behavior Analytics",0,0,2,0,100,18,0,"Windows Security::5",No "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","-",Any,0,0,1,0,102,3,0,"Windows Security::2",No "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","-","Splunk Security Essentials",0,0,1,0,102,3,0,"Windows Security::2",No "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Victim-Owned Websites","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Victim-Owned Websites","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Victim-Owned Websites","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Victim-Owned Websites","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Victim-Owned Websites","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Victim-Owned Websites","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Obtain Capabilities","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Obtain Capabilities","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Obtain Capabilities","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Obtain Capabilities","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Obtain Capabilities","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Obtain Capabilities","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Windows Event Logs",Any,0,0,7,7,154,24,0,"Endpoint Detection and Response::2,Windows Security::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Windows Event Logs","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Windows Event Logs","Enterprise Security Content Update",0,0,4,7,154,24,0,"Endpoint Detection and Response::2,Windows Security::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Windows Event Logs","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Windows Event Logs","Splunk Security Essentials",0,0,3,7,154,24,0,"Endpoint Detection and Response::2,Windows Security::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Windows Event Logs","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Symmetric Encrypted Non-C2 Protocol",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Symmetric Encrypted Non-C2 Protocol","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Local Account",Any,0,0,5,5,100,18,0,"Change Events Data::0,Endpoint Detection and Response::0,Windows Security::5",Yes "Enterprise ATT&CK",Persistence,"Create Account","Local Account","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Local Account","Enterprise Security Content Update",0,0,4,5,100,18,0,"Change Events Data::0,Endpoint Detection and Response::0,Windows Security::5",Yes "Enterprise ATT&CK",Persistence,"Create Account","Local Account","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Local Account","Splunk Security Essentials",0,0,1,5,100,18,0,"Windows Security::5",Yes "Enterprise ATT&CK",Persistence,"Create Account","Local Account","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Token Impersonation/Theft",Any,0,0,1,1,102,3,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Token Impersonation/Theft","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Token Impersonation/Theft","Enterprise Security Content Update",0,0,1,1,102,3,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Token Impersonation/Theft","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Token Impersonation/Theft","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Token Impersonation/Theft","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Malware,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Malware,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Malware,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Malware,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Malware,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Malware,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Linux or Mac System Logs",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Linux or Mac System Logs","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Linux or Mac System Logs","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Linux or Mac System Logs","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Linux or Mac System Logs","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Linux or Mac System Logs","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Domain Account",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Domain Account","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Domain Account","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Domain Account","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Domain Account","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Domain Account","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Create Process with Token",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Create Process with Token","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Create Process with Token","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Create Process with Token","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Create Process with Token","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Create Process with Token","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Tool,Any,0,0,2,2,0,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Tool,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Tool,"Enterprise Security Content Update",0,0,2,2,0,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Tool,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Tool,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Tool,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Command History",Any,0,0,1,1,154,24,0,"Windows Security::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Command History","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Command History","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Command History","Splunk App for Enterprise Security",0,0,1,1,154,24,0,"Windows Security::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Command History","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Clear Command History","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",Any,0,0,8,8,56,29,0,"DNS::0,Google Gmail::0,Network Communication::12,Web Server::0",Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Enterprise Security Content Update",0,0,8,8,56,29,0,"DNS::0,Google Gmail::0,Network Communication::12,Web Server::0",Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Alternative Protocol","Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Cloud Account",Any,0,0,6,6,100,18,0,"AWS::0,Azure::0",Yes "Enterprise ATT&CK",Persistence,"Create Account","Cloud Account","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Cloud Account","Enterprise Security Content Update",0,0,6,6,100,18,0,"AWS::0,Azure::0",Yes "Enterprise ATT&CK",Persistence,"Create Account","Cloud Account","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Cloud Account","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create Account","Cloud Account","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Make and Impersonate Token",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Make and Impersonate Token","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Make and Impersonate Token","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Make and Impersonate Token","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Make and Impersonate Token","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Make and Impersonate Token","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Code Signing Certificates",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Code Signing Certificates","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Code Signing Certificates","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Code Signing Certificates","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Code Signing Certificates","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Code Signing Certificates","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","File Deletion",Any,0,0,10,10,154,24,0,"Endpoint Detection and Response::2,Windows Security::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","File Deletion","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","File Deletion","Enterprise Security Content Update",0,0,9,10,154,24,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","File Deletion","Splunk App for Enterprise Security",0,0,1,10,154,24,0,"Windows Security::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","File Deletion","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","File Deletion","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Parent PID Spoofing",Any,0,0,1,1,102,3,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Parent PID Spoofing","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Parent PID Spoofing","Enterprise Security Content Update",0,0,1,1,102,3,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Parent PID Spoofing","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Parent PID Spoofing","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","Parent PID Spoofing","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Digital Certificates",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Digital Certificates","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Digital Certificates","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Digital Certificates","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Digital Certificates","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities","Digital Certificates","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Network Share Connection Removal",Any,0,0,1,1,154,24,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Network Share Connection Removal","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Network Share Connection Removal","Enterprise Security Content Update",0,0,1,1,154,24,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Network Share Connection Removal","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Network Share Connection Removal","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host","Network Share Connection Removal","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","SID-History Injection",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","SID-History Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","SID-History Injection","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","SID-History Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","SID-History Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Access Token Manipulation","SID-History Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Exploits,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Exploits,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Exploits,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Exploits,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Exploits,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Exploits,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host",Timestomp,Any,0,1,0,1,154,24,0,"Any Splunk Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host",Timestomp,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host",Timestomp,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host",Timestomp,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host",Timestomp,"Splunk Security Essentials",0,1,0,1,154,24,0,"Any Splunk Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Indicator Removal on Host",Timestomp,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Vulnerabilities,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Vulnerabilities,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Vulnerabilities,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Vulnerabilities,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Vulnerabilities,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Obtain Capabilities",Vulnerabilities,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","-",Any,0,0,1,0,30,8,0,"Azure::1",No "Enterprise ATT&CK",Collection,"Email Collection","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Email Collection","-","Enterprise Security Content Update",0,0,1,0,30,8,0,"Azure::1",No "Enterprise ATT&CK",Collection,"Email Collection","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Email Collection","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Email Collection","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Web Service","-",Any,0,0,5,0,48,5,0,"Anti-Virus or Anti-Malware::1,SFDC::1,Web Proxy::3",No "Enterprise ATT&CK","Command and Control","Web Service","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Web Service","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Web Service","-","Splunk App for Enterprise Security",0,0,1,0,48,5,0,"Web Proxy::3",No "Enterprise ATT&CK","Command and Control","Web Service","-","Splunk Security Essentials",0,0,3,0,48,5,0,"SFDC::1,Web Proxy::3",No "Enterprise ATT&CK","Command and Control","Web Service","-","Splunk User Behavior Analytics",0,0,1,0,48,5,0,"Anti-Virus or Anti-Malware::1",No "Enterprise ATT&CK","Credential Access","Exploitation for Credential Access","-",Any,0,1,2,0,35,3,0,"Any Splunk Logs::1,Kubernetes::2",No "Enterprise ATT&CK","Credential Access","Exploitation for Credential Access","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Exploitation for Credential Access","-","Enterprise Security Content Update",0,0,2,0,35,3,0,"Kubernetes::2",No "Enterprise ATT&CK","Credential Access","Exploitation for Credential Access","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Exploitation for Credential Access","-","Splunk Security Essentials",0,1,0,0,35,3,0,"Any Splunk Logs::1",No "Enterprise ATT&CK","Credential Access","Exploitation for Credential Access","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Valid Accounts","-",Any,0,0,63,0,154,101,0,"::4,AWS::28,Anti-Virus or Anti-Malware::4,Authentication::24,Box::4,Change Events Data::20,GCP::20,Network Communication::4,SFDC::8,Ticket Management::8,User Activity Audit::4,Web Server::4,Windows Security::120",No "Enterprise ATT&CK","Defense Evasion","Valid Accounts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Valid Accounts","-","Enterprise Security Content Update",0,0,19,0,154,101,0,"::4,AWS::28,Change Events Data::20,GCP::20,Web Server::4,Windows Security::120",No "Enterprise ATT&CK","Defense Evasion","Valid Accounts","-","Splunk App for Enterprise Security",0,0,8,0,154,101,0,"Anti-Virus or Anti-Malware::4,Authentication::24,User Activity Audit::4,Windows Security::120",No "Enterprise ATT&CK","Defense Evasion","Valid Accounts","-","Splunk Security Essentials",0,0,22,0,154,101,0,"AWS::28,GCP::20,SFDC::8,Ticket Management::8,Windows Security::120",No "Enterprise ATT&CK","Defense Evasion","Valid Accounts","-","Splunk User Behavior Analytics",0,0,14,0,154,101,0,"Authentication::24,Box::4,Network Communication::4,Windows Security::120",No "Enterprise ATT&CK",Discovery,"Network Sniffing","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Sniffing","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Sniffing","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Sniffing","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Sniffing","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Sniffing","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Exploitation for Client Execution","-",Any,0,0,3,0,49,3,0,"::1,Microsoft Sysmon Logs::1,Network Communication::1",No "Enterprise ATT&CK",Execution,"Exploitation for Client Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Exploitation for Client Execution","-","Enterprise Security Content Update",0,0,3,0,49,3,0,"::1,Microsoft Sysmon Logs::1,Network Communication::1",No "Enterprise ATT&CK",Execution,"Exploitation for Client Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Exploitation for Client Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Exploitation for Client Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","-",Any,0,0,7,0,56,9,0,"Application Data::1,DLP::1,Endpoint Detection and Response::3,User Activity Audit::2",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","-","Splunk Security Essentials",0,0,2,0,56,9,0,"User Activity Audit::2",No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","-","Splunk User Behavior Analytics",0,0,5,0,56,9,0,"Application Data::1,DLP::1,Endpoint Detection and Response::3",No "Enterprise ATT&CK",Impact,"Resource Hijacking","-",Any,0,0,3,0,51,3,0,"Azure::1,Kubernetes::2",No "Enterprise ATT&CK",Impact,"Resource Hijacking","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Resource Hijacking","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Resource Hijacking","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Resource Hijacking","-","Splunk Security Essentials",0,0,3,0,51,3,0,"Azure::1,Kubernetes::2",No "Enterprise ATT&CK",Impact,"Resource Hijacking","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Hardware Additions","-",Any,0,0,7,0,112,7,0,"Cisco IOS::5,Endpoint Detection and Response::1,Network Communication::1",No "Enterprise ATT&CK","Initial Access","Hardware Additions","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Hardware Additions","-","Enterprise Security Content Update",0,0,5,0,112,7,0,"Cisco IOS::5",No "Enterprise ATT&CK","Initial Access","Hardware Additions","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access","Hardware Additions","-","Splunk Security Essentials",0,0,1,0,112,7,0,"Network Communication::1",No "Enterprise ATT&CK","Initial Access","Hardware Additions","-","Splunk User Behavior Analytics",0,0,1,0,112,7,0,"Endpoint Detection and Response::1",No "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","-",Any,0,0,3,0,19,8,0,"AWS::2,Network Communication::2,Windows Security::2",No "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","-","Enterprise Security Content Update",0,0,3,0,19,8,0,"AWS::2,Network Communication::2,Windows Security::2",No "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Office Application Startup","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Office Application Startup","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Office Application Startup","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Office Application Startup","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Office Application Startup","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Office Application Startup","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Active Scanning","-",Any,0,0,1,0,5,1,0,"Endpoint Detection and Response::1",No "Enterprise ATT&CK",Reconnaissance,"Active Scanning","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Active Scanning","-","Enterprise Security Content Update",0,0,1,0,5,1,0,"Endpoint Detection and Response::1",No "Enterprise ATT&CK",Reconnaissance,"Active Scanning","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Active Scanning","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Active Scanning","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Stage Capabilities","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Stage Capabilities","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Stage Capabilities","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Stage Capabilities","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Stage Capabilities","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Resource Development","Stage Capabilities","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Email Collection","Local Email Collection",Any,0,0,2,2,30,8,0,"Endpoint Detection and Response::0,Windows Security::0",Yes "Enterprise ATT&CK",Collection,"Email Collection","Local Email Collection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Local Email Collection","Enterprise Security Content Update",0,0,2,2,30,8,0,"Endpoint Detection and Response::0,Windows Security::0",Yes "Enterprise ATT&CK",Collection,"Email Collection","Local Email Collection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Local Email Collection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Local Email Collection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Dead Drop Resolver",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Dead Drop Resolver","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Dead Drop Resolver","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Dead Drop Resolver","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Dead Drop Resolver","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Dead Drop Resolver","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Default Accounts",Any,0,0,4,4,154,101,0,"Okta::0",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Default Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Default Accounts","Enterprise Security Content Update",0,0,4,4,154,101,0,"Okta::0",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Default Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Default Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Default Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","Exfiltration over USB",Any,0,0,2,2,56,9,0,"Endpoint Detection and Response::3",Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","Exfiltration over USB","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","Exfiltration over USB","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","Exfiltration over USB","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","Exfiltration over USB","Splunk Security Essentials",0,0,2,2,56,9,0,"Endpoint Detection and Response::3",Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Physical Medium","Exfiltration over USB","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Application Access Token",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Application Access Token","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Application Access Token","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Application Access Token","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Application Access Token","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Application Access Token","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Template Macros",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Template Macros","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Template Macros","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Template Macros","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Template Macros","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Template Macros","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Group Policy Modification",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Group Policy Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Group Policy Modification","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Group Policy Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Group Policy Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Group Policy Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Scanning IP Blocks",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Scanning IP Blocks","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Scanning IP Blocks","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Scanning IP Blocks","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Scanning IP Blocks","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Scanning IP Blocks","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Malware",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Malware","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Malware","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Malware","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Malware","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Malware","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Remote Email Collection",Any,0,0,3,3,30,8,0,"Azure::1,Network Communication::0",Yes "Enterprise ATT&CK",Collection,"Email Collection","Remote Email Collection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Remote Email Collection","Enterprise Security Content Update",0,0,3,3,30,8,0,"Azure::1,Network Communication::0",Yes "Enterprise ATT&CK",Collection,"Email Collection","Remote Email Collection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Remote Email Collection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Remote Email Collection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Bidirectional Communication",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Bidirectional Communication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Bidirectional Communication","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Bidirectional Communication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Bidirectional Communication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","Bidirectional Communication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Domain Accounts",Any,0,1,4,5,154,101,0,"Change Events Data::20,HR System::0,Windows Security::120",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Domain Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Domain Accounts","Enterprise Security Content Update",0,1,4,5,154,101,0,"Change Events Data::20,HR System::0,Windows Security::120",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Domain Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Domain Accounts","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Domain Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Hash",Any,0,0,2,2,19,8,0,"Windows Security::2",Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Hash","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Hash","Enterprise Security Content Update",0,0,1,2,19,8,0,"Windows Security::2",Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Hash","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Hash","Splunk Security Essentials",0,0,1,2,19,8,0,"Windows Security::2",Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Hash","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Test",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Test","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Test","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Test","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Test","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Office Test","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Domain Trust Modification",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Domain Trust Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Domain Trust Modification","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Domain Trust Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Domain Trust Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Domain Policy Modification","Domain Trust Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Vulnerability Scanning",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Vulnerability Scanning","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Vulnerability Scanning","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Vulnerability Scanning","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Vulnerability Scanning","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Active Scanning","Vulnerability Scanning","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Tool",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Tool","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Tool","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Tool","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Tool","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Upload Tool","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Email Forwarding Rule",Any,0,0,2,2,30,8,0,"Azure::1",Yes "Enterprise ATT&CK",Collection,"Email Collection","Email Forwarding Rule","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Email Forwarding Rule","Enterprise Security Content Update",0,0,2,2,30,8,0,"Azure::1",Yes "Enterprise ATT&CK",Collection,"Email Collection","Email Forwarding Rule","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Email Forwarding Rule","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Email Collection","Email Forwarding Rule","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","One-Way Communication",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","One-Way Communication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","One-Way Communication","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","One-Way Communication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","One-Way Communication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Web Service","One-Way Communication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Local Accounts",Any,0,0,3,3,154,101,0,"Change Events Data::20,Windows Security::120",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Local Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Local Accounts","Enterprise Security Content Update",0,0,1,3,154,101,0,"Change Events Data::20",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Local Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Local Accounts","Splunk Security Essentials",0,0,2,3,154,101,0,"Windows Security::120",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Local Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Ticket",Any,0,0,3,3,19,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Ticket","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Ticket","Enterprise Security Content Update",0,0,3,3,19,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Ticket","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Ticket","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Pass the Ticket","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Forms",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Forms","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Forms","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Forms","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Forms","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Forms","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Install Digital Certificate",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Install Digital Certificate","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Install Digital Certificate","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Install Digital Certificate","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Install Digital Certificate","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Install Digital Certificate","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Cloud Accounts",Any,0,0,26,26,154,101,0,"AWS::28,Azure::0,Change Events Data::20",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Cloud Accounts","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Cloud Accounts","Enterprise Security Content Update",0,0,19,26,154,101,0,"AWS::28,Change Events Data::20",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Cloud Accounts","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Cloud Accounts","Splunk Security Essentials",0,0,7,26,154,101,0,"Azure::0",Yes "Enterprise ATT&CK","Defense Evasion","Valid Accounts","Cloud Accounts","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Web Session Cookie",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Web Session Cookie","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Web Session Cookie","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Web Session Cookie","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Web Session Cookie","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Use Alternate Authentication Material","Web Session Cookie","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Home Page",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Home Page","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Home Page","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Home Page","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Home Page","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Home Page","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Drive-by Target",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Drive-by Target","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Drive-by Target","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Drive-by Target","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Drive-by Target","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Drive-by Target","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Rules",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Rules","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Rules","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Rules","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Rules","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Outlook Rules","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Link Target",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Link Target","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Link Target","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Link Target","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Link Target","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Resource Development","Stage Capabilities","Link Target","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Add-ins",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Add-ins","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Add-ins","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Add-ins","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Add-ins","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Office Application Startup","Add-ins","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Clipboard Data","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Clipboard Data","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Clipboard Data","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Clipboard Data","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Clipboard Data","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Clipboard Data","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Multi-Stage Channels","-",Any,0,0,1,0,48,1,0,"Network Communication::1",No "Enterprise ATT&CK","Command and Control","Multi-Stage Channels","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Multi-Stage Channels","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Multi-Stage Channels","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Multi-Stage Channels","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Multi-Stage Channels","-","Splunk User Behavior Analytics",0,0,1,0,48,1,0,"Network Communication::1",No "Enterprise ATT&CK","Credential Access","Steal Application Access Token","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Application Access Token","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Application Access Token","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Application Access Token","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Application Access Token","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Application Access Token","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Registry","-",Any,0,0,18,0,154,18,0,"Endpoint Detection and Response::18",No "Enterprise ATT&CK","Defense Evasion","Modify Registry","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Registry","-","Enterprise Security Content Update",0,0,17,0,154,18,0,"Endpoint Detection and Response::18",No "Enterprise ATT&CK","Defense Evasion","Modify Registry","-","Splunk App for Enterprise Security",0,0,1,0,154,18,0,"Endpoint Detection and Response::18",No "Enterprise ATT&CK","Defense Evasion","Modify Registry","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Registry","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Service Scanning","-",Any,0,0,8,0,118,8,0,"Endpoint Detection and Response::1,IDS or IPS::2,Network Communication::5",No "Enterprise ATT&CK",Discovery,"Network Service Scanning","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Service Scanning","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Service Scanning","-","Splunk App for Enterprise Security",0,0,3,0,118,8,0,"IDS or IPS::2,Network Communication::5",No "Enterprise ATT&CK",Discovery,"Network Service Scanning","-","Splunk Security Essentials",0,0,4,0,118,8,0,"Endpoint Detection and Response::1,Network Communication::5",No "Enterprise ATT&CK",Discovery,"Network Service Scanning","-","Splunk User Behavior Analytics",0,0,1,0,118,8,0,"Network Communication::5",No "Enterprise ATT&CK",Execution,"User Execution","-",Any,0,0,14,0,49,26,0,"AWS::1,Anti-Virus or Anti-Malware::8,Endpoint Detection and Response::5",No "Enterprise ATT&CK",Execution,"User Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"User Execution","-","Enterprise Security Content Update",0,0,4,0,49,26,0,"AWS::1,Endpoint Detection and Response::5",No "Enterprise ATT&CK",Execution,"User Execution","-","Splunk App for Enterprise Security",0,0,4,0,49,26,0,"Anti-Virus or Anti-Malware::8",No "Enterprise ATT&CK",Execution,"User Execution","-","Splunk Security Essentials",0,0,6,0,49,26,0,"Anti-Virus or Anti-Malware::8,Endpoint Detection and Response::5",No "Enterprise ATT&CK",Execution,"User Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Transfer Data to Cloud Account","-",Any,0,0,2,0,56,2,0,"AWS::1,Windows Security::1",No "Enterprise ATT&CK",Exfiltration,"Transfer Data to Cloud Account","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Transfer Data to Cloud Account","-","Enterprise Security Content Update",0,0,2,0,56,2,0,"AWS::1,Windows Security::1",No "Enterprise ATT&CK",Exfiltration,"Transfer Data to Cloud Account","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Transfer Data to Cloud Account","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Transfer Data to Cloud Account","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Network Denial of Service","-",Any,0,0,6,0,51,7,0,"::1,Cisco IOS::5",No "Enterprise ATT&CK",Impact,"Network Denial of Service","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Network Denial of Service","-","Enterprise Security Content Update",0,0,6,0,51,7,0,"::1,Cisco IOS::5",No "Enterprise ATT&CK",Impact,"Network Denial of Service","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Network Denial of Service","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Network Denial of Service","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access",Phishing,"-",Any,0,0,3,0,112,46,0,"::1,Google Calendar::1,Google Gdrive::1",No "Enterprise ATT&CK","Initial Access",Phishing,"-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access",Phishing,"-","Enterprise Security Content Update",0,0,3,0,112,46,0,"::1,Google Calendar::1,Google Gdrive::1",No "Enterprise ATT&CK","Initial Access",Phishing,"-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access",Phishing,"-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Initial Access",Phishing,"-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Browser Extensions","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Browser Extensions","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Browser Extensions","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Browser Extensions","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Browser Extensions","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Browser Extensions","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","-",Any,0,0,3,0,102,25,0,"Endpoint Detection and Response::4,Microsoft System EventLog::2",No "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","-","Enterprise Security Content Update",0,0,3,0,102,25,0,"Endpoint Detection and Response::4,Microsoft System EventLog::2",No "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"User Execution","Malicious Link",Any,0,0,1,1,49,26,0,"Endpoint Detection and Response::5",Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Link","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Link","Enterprise Security Content Update",0,0,1,1,49,26,0,"Endpoint Detection and Response::5",Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Link","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Link","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Link","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Direct Network Flood",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Direct Network Flood","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Direct Network Flood","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Direct Network Flood","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Direct Network Flood","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Direct Network Flood","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Attachment",Any,0,0,31,31,112,46,0,"Anti-Virus or Anti-Malware::0,Email::0,Endpoint Detection and Response::0,Google Gdrive::1,Google Gmail::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Attachment","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Attachment","Enterprise Security Content Update",0,0,24,31,112,46,0,"Email::0,Endpoint Detection and Response::0,Google Gdrive::1,Google Gmail::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Attachment","Splunk App for Enterprise Security",0,0,3,31,112,46,0,"Anti-Virus or Anti-Malware::0,Email::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Attachment","Splunk Security Essentials",0,0,4,31,112,46,0,"Anti-Virus or Anti-Malware::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Attachment","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","SSH Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","SSH Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","SSH Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","SSH Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","SSH Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","SSH Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Agent",Any,0,0,2,2,102,25,0,"Endpoint Detection and Response::4,OSQuery::0",Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Agent","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Agent","Enterprise Security Content Update",0,0,2,2,102,25,0,"Endpoint Detection and Response::4,OSQuery::0",Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Agent","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Agent","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Agent","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","DNS/Passive DNS",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","DNS/Passive DNS","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","DNS/Passive DNS","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","DNS/Passive DNS","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","DNS/Passive DNS","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","DNS/Passive DNS","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious File",Any,0,0,4,4,49,26,0,"Endpoint Detection and Response::5,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious File","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious File","Enterprise Security Content Update",0,0,4,4,49,26,0,"Endpoint Detection and Response::5,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious File","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious File","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious File","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Reflection Amplification",Any,0,0,1,1,51,7,0,"DNS::0",Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Reflection Amplification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Reflection Amplification","Enterprise Security Content Update",0,0,1,1,51,7,0,"DNS::0",Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Reflection Amplification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Reflection Amplification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Network Denial of Service","Reflection Amplification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Link",Any,0,0,11,11,112,46,0,"Anti-Virus or Anti-Malware::0,Email::0,Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Link","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Link","Enterprise Security Content Update",0,0,1,11,112,46,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Link","Splunk App for Enterprise Security",0,0,3,11,112,46,0,"Anti-Virus or Anti-Malware::0,Email::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Link","Splunk Security Essentials",0,0,7,11,112,46,0,"Anti-Virus or Anti-Malware::0,Email::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing Link","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","RDP Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","RDP Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","RDP Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","RDP Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","RDP Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Lateral Movement","Remote Service Session Hijacking","RDP Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Systemd Service",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Systemd Service","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Systemd Service","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Systemd Service","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Systemd Service","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Systemd Service","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",WHOIS,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",WHOIS,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",WHOIS,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",WHOIS,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",WHOIS,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",WHOIS,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Image",Any,0,0,7,7,49,26,0,"::0,AWS::1",Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Image","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Image","Enterprise Security Content Update",0,0,7,7,49,26,0,"::0,AWS::1",Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Image","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Image","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"User Execution","Malicious Image","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing via Service",Any,0,0,1,1,112,46,0,"Web Proxy::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing via Service","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing via Service","Enterprise Security Content Update",0,0,1,1,112,46,0,"Web Proxy::0",Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing via Service","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing via Service","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Initial Access",Phishing,"Spearphishing via Service","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Windows Service",Any,0,0,20,20,102,25,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0,Microsoft System EventLog::2",Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Windows Service","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Windows Service","Enterprise Security Content Update",0,0,12,20,102,25,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0,Microsoft System EventLog::2",Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Windows Service","Splunk App for Enterprise Security",0,0,4,20,102,25,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Windows Service","Splunk Security Essentials",0,0,4,20,102,25,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Windows Service","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Digital Certificates",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Digital Certificates","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Digital Certificates","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Digital Certificates","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Digital Certificates","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Digital Certificates","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Daemon",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Daemon","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Daemon","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Daemon","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Daemon","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Create or Modify System Process","Launch Daemon","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",CDNs,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",CDNs,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",CDNs,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",CDNs,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",CDNs,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases",CDNs,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Scan Databases",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Scan Databases","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Scan Databases","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Scan Databases","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Scan Databases","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Open Technical Databases","Scan Databases","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Automated Collection","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Automated Collection","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Automated Collection","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Automated Collection","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Automated Collection","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Automated Collection","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Ingress Tool Transfer","-",Any,0,0,15,0,48,15,0,"Endpoint Detection and Response::10,Microsoft Sysmon Logs::1,Network Communication::2,Risk Modifiers::1,Windows Security::1",No "Enterprise ATT&CK","Command and Control","Ingress Tool Transfer","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Ingress Tool Transfer","-","Enterprise Security Content Update",0,0,12,0,48,15,0,"Endpoint Detection and Response::10,Microsoft Sysmon Logs::1,Risk Modifiers::1",No "Enterprise ATT&CK","Command and Control","Ingress Tool Transfer","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Ingress Tool Transfer","-","Splunk Security Essentials",0,0,1,0,48,15,0,"Network Communication::2",No "Enterprise ATT&CK","Command and Control","Ingress Tool Transfer","-","Splunk User Behavior Analytics",0,0,2,0,48,15,0,"Network Communication::2,Windows Security::1",No "Enterprise ATT&CK","Credential Access","Steal Web Session Cookie","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Web Session Cookie","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Web Session Cookie","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Web Session Cookie","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Web Session Cookie","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal Web Session Cookie","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution","-",Any,0,0,3,0,154,7,0,"Endpoint Detection and Response::3",No "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution","-","Enterprise Security Content Update",0,0,3,0,154,7,0,"Endpoint Detection and Response::3",No "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Network Connections Discovery","-",Any,0,0,7,0,118,7,0,"Endpoint Detection and Response::6,Windows Security::1",No "Enterprise ATT&CK",Discovery,"System Network Connections Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Network Connections Discovery","-","Enterprise Security Content Update",0,0,5,0,118,7,0,"Endpoint Detection and Response::6,Windows Security::1",No "Enterprise ATT&CK",Discovery,"System Network Connections Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Network Connections Discovery","-","Splunk Security Essentials",0,0,2,0,118,7,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK",Discovery,"System Network Connections Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Inter-Process Communication","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Inter-Process Communication","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Inter-Process Communication","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Inter-Process Communication","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Inter-Process Communication","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Inter-Process Communication","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","-",Any,0,0,1,0,51,1,0,"Network Communication::1",No "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","-","Splunk User Behavior Analytics",0,0,1,0,51,1,0,"Network Communication::1",No "Enterprise ATT&CK","Lateral Movement","Lateral Tool Transfer","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Lateral Tool Transfer","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Lateral Tool Transfer","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Lateral Tool Transfer","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Lateral Tool Transfer","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Lateral Movement","Lateral Tool Transfer","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"BITS Jobs","-",Any,0,0,3,0,100,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK",Persistence,"BITS Jobs","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"BITS Jobs","-","Enterprise Security Content Update",0,0,3,0,100,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK",Persistence,"BITS Jobs","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"BITS Jobs","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"BITS Jobs","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution",MSBuild,Any,0,0,4,4,154,7,0,"Endpoint Detection and Response::3",Yes "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution",MSBuild,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution",MSBuild,"Enterprise Security Content Update",0,0,4,4,154,7,0,"Endpoint Detection and Response::3",Yes "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution",MSBuild,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution",MSBuild,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Trusted Developer Utilities Proxy Execution",MSBuild,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Component Object Model",Any,0,0,1,1,49,1,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Component Object Model","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Component Object Model","Enterprise Security Content Update",0,0,1,1,49,1,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Component Object Model","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Component Object Model","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Component Object Model","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Code Repository",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Code Repository","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Code Repository","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Code Repository","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Code Repository","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Code Repository","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","OS Exhaustion Flood",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","OS Exhaustion Flood","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","OS Exhaustion Flood","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","OS Exhaustion Flood","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","OS Exhaustion Flood","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","OS Exhaustion Flood","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Change Default File Association",Any,0,0,2,2,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Change Default File Association","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Change Default File Association","Enterprise Security Content Update",0,0,2,2,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Change Default File Association","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Change Default File Association","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Change Default File Association","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Threat Intel Vendors",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Threat Intel Vendors","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Threat Intel Vendors","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Threat Intel Vendors","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Threat Intel Vendors","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Threat Intel Vendors","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Dynamic Data Exchange",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Dynamic Data Exchange","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Dynamic Data Exchange","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Dynamic Data Exchange","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Dynamic Data Exchange","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"Inter-Process Communication","Dynamic Data Exchange","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Cloud Storage",Any,0,0,1,1,56,1,0,"Google Gdrive::0",Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Cloud Storage","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Cloud Storage","Enterprise Security Content Update",0,0,1,1,56,1,0,"Google Gdrive::0",Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Cloud Storage","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Cloud Storage","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Exfiltration,"Exfiltration Over Web Service","Exfiltration to Cloud Storage","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Service Exhaustion Flood",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Service Exhaustion Flood","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Service Exhaustion Flood","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Service Exhaustion Flood","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Service Exhaustion Flood","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Service Exhaustion Flood","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Screensaver,Any,0,0,1,1,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Screensaver,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Screensaver,"Enterprise Security Content Update",0,0,1,1,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Screensaver,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Screensaver,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Screensaver,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Purchase Technical Data",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Purchase Technical Data","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Purchase Technical Data","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Purchase Technical Data","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Purchase Technical Data","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Search Closed Sources","Purchase Technical Data","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application Exhaustion Flood",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application Exhaustion Flood","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application Exhaustion Flood","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application Exhaustion Flood","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application Exhaustion Flood","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application Exhaustion Flood","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Windows Management Instrumentation Event Subscription",Any,0,0,2,2,102,13,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Windows Management Instrumentation Event Subscription","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Windows Management Instrumentation Event Subscription","Enterprise Security Content Update",0,0,2,2,102,13,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Windows Management Instrumentation Event Subscription","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Windows Management Instrumentation Event Subscription","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Windows Management Instrumentation Event Subscription","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application or System Exploitation",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application or System Exploitation","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application or System Exploitation","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application or System Exploitation","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application or System Exploitation","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Endpoint Denial of Service","Application or System Exploitation","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Unix Shell Configuration Modification",Any,0,0,2,2,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Unix Shell Configuration Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Unix Shell Configuration Modification","Enterprise Security Content Update",0,0,2,2,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Unix Shell Configuration Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Unix Shell Configuration Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Unix Shell Configuration Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Trap,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Trap,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Trap,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Trap,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Trap,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Trap,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","LC_LOAD_DYLIB Addition",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","LC_LOAD_DYLIB Addition","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","LC_LOAD_DYLIB Addition","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","LC_LOAD_DYLIB Addition","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","LC_LOAD_DYLIB Addition","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","LC_LOAD_DYLIB Addition","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Netsh Helper DLL",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Netsh Helper DLL","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Netsh Helper DLL","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Netsh Helper DLL","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Netsh Helper DLL","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Netsh Helper DLL","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Accessibility Features",Any,0,0,1,1,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Accessibility Features","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Accessibility Features","Enterprise Security Content Update",0,0,1,1,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Accessibility Features","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Accessibility Features","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Accessibility Features","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppCert DLLs",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppCert DLLs","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppCert DLLs","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppCert DLLs","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppCert DLLs","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppCert DLLs","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppInit DLLs",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppInit DLLs","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppInit DLLs","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppInit DLLs","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppInit DLLs","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","AppInit DLLs","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Application Shimming",Any,0,0,3,3,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Application Shimming","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Application Shimming","Enterprise Security Content Update",0,0,3,3,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Application Shimming","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Application Shimming","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Application Shimming","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Image File Execution Options Injection",Any,0,0,1,1,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Image File Execution Options Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Image File Execution Options Injection","Enterprise Security Content Update",0,0,1,1,102,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Image File Execution Options Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Image File Execution Options Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Image File Execution Options Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","PowerShell Profile",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","PowerShell Profile","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","PowerShell Profile","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","PowerShell Profile","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","PowerShell Profile","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","PowerShell Profile","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Emond,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Emond,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Emond,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Emond,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Emond,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution",Emond,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Component Object Model Hijacking",Any,0,0,1,1,102,13,0,"Windows Security::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Component Object Model Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Component Object Model Hijacking","Enterprise Security Content Update",0,0,1,1,102,13,0,"Windows Security::0",Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Component Object Model Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Component Object Model Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Event Triggered Execution","Component Object Model Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Audio Capture","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Audio Capture","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Audio Capture","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Audio Capture","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Audio Capture","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Audio Capture","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Encoding","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Encoding","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Encoding","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Encoding","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Encoding","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Encoding","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Unsecured Credentials","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Unsecured Credentials","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Unsecured Credentials","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Unsecured Credentials","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Unsecured Credentials","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Unsecured Credentials","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","-",Any,0,0,1,0,154,3,0,"Windows Security::2",No "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","-","Splunk Security Essentials",0,0,1,0,154,3,0,"Windows Security::2",No "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Process Discovery","-",Any,0,0,4,0,118,4,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK",Discovery,"Process Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Process Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Process Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Process Discovery","-","Splunk Security Essentials",0,0,4,0,118,4,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK",Discovery,"Process Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"System Services","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"System Services","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"System Services","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"System Services","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"System Services","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"System Services","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"System Shutdown/Reboot","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"System Shutdown/Reboot","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"System Shutdown/Reboot","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"System Shutdown/Reboot","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"System Shutdown/Reboot","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"System Shutdown/Reboot","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Traffic Signaling","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Traffic Signaling","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Traffic Signaling","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Traffic Signaling","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Traffic Signaling","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Traffic Signaling","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Data Encoding","Standard Encoding",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Standard Encoding","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Standard Encoding","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Standard Encoding","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Standard Encoding","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Standard Encoding","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials In Files",Any,0,1,0,1,35,4,0,"Any Splunk Logs::0",Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials In Files","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials In Files","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials In Files","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials In Files","Splunk Security Essentials",0,1,0,1,35,4,0,"Any Splunk Logs::0",Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials In Files","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Token Impersonation/Theft",Any,0,0,1,1,154,3,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Token Impersonation/Theft","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Token Impersonation/Theft","Enterprise Security Content Update",0,0,1,1,154,3,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Token Impersonation/Theft","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Token Impersonation/Theft","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Token Impersonation/Theft","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"System Services",Launchctl,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"System Services",Launchctl,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"System Services",Launchctl,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"System Services",Launchctl,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"System Services",Launchctl,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"System Services",Launchctl,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Traffic Signaling","Port Knocking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Traffic Signaling","Port Knocking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Traffic Signaling","Port Knocking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Traffic Signaling","Port Knocking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Traffic Signaling","Port Knocking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Traffic Signaling","Port Knocking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder",Any,0,0,3,3,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Enterprise Security Content Update",0,0,2,3,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Splunk Security Essentials",0,0,1,3,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Service",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Service","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Service","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Service","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Service","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Service","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Non-Standard Encoding",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Non-Standard Encoding","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Non-Standard Encoding","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Non-Standard Encoding","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Non-Standard Encoding","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Data Encoding","Non-Standard Encoding","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials in Registry",Any,0,0,2,2,35,4,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials in Registry","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials in Registry","Enterprise Security Content Update",0,0,2,2,35,4,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials in Registry","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials in Registry","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Credentials in Registry","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Create Process with Token",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Create Process with Token","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Create Process with Token","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Create Process with Token","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Create Process with Token","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Create Process with Token","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"System Services","Service Execution",Any,0,0,12,12,49,12,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0,Microsoft System EventLog::0,Network Communication::0",Yes "Enterprise ATT&CK",Execution,"System Services","Service Execution","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Execution,"System Services","Service Execution","Enterprise Security Content Update",0,0,5,12,49,12,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0,Microsoft System EventLog::0",Yes "Enterprise ATT&CK",Execution,"System Services","Service Execution","Splunk App for Enterprise Security",0,0,3,12,49,12,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Execution,"System Services","Service Execution","Splunk Security Essentials",0,0,4,12,49,12,0,"Endpoint Detection and Response::0,Network Communication::0",Yes "Enterprise ATT&CK",Execution,"System Services","Service Execution","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Authentication Package",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Authentication Package","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Authentication Package","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Authentication Package","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Authentication Package","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Authentication Package","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Attachment",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Attachment","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Attachment","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Attachment","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Attachment","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Attachment","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Bash History",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Bash History","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Bash History","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Bash History","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Bash History","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Bash History","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Make and Impersonate Token",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Make and Impersonate Token","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Make and Impersonate Token","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Make and Impersonate Token","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Make and Impersonate Token","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Make and Impersonate Token","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Time Providers",Any,0,0,1,1,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Time Providers","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Time Providers","Enterprise Security Content Update",0,0,1,1,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Time Providers","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Time Providers","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Time Providers","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Link",Any,0,0,1,1,5,1,0,"DNS::0",Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Link","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Link","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Link","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Link","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Reconnaissance,"Phishing for Information","Spearphishing Link","Splunk User Behavior Analytics",0,0,1,1,5,1,0,"DNS::0",Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Private Keys",Any,0,1,0,1,35,4,0,"Any Splunk Logs::0",Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Private Keys","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Private Keys","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Private Keys","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Private Keys","Splunk Security Essentials",0,1,0,1,35,4,0,"Any Splunk Logs::0",Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Private Keys","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Parent PID Spoofing",Any,0,0,1,1,154,3,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Parent PID Spoofing","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Parent PID Spoofing","Enterprise Security Content Update",0,0,1,1,154,3,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Parent PID Spoofing","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Parent PID Spoofing","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","Parent PID Spoofing","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Winlogon Helper DLL",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Winlogon Helper DLL","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Winlogon Helper DLL","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Winlogon Helper DLL","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Winlogon Helper DLL","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Winlogon Helper DLL","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Cloud Instance Metadata API",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Cloud Instance Metadata API","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Cloud Instance Metadata API","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Cloud Instance Metadata API","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Cloud Instance Metadata API","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Cloud Instance Metadata API","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","SID-History Injection",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","SID-History Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","SID-History Injection","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","SID-History Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","SID-History Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Access Token Manipulation","SID-History Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Security Support Provider",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Security Support Provider","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Security Support Provider","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Security Support Provider","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Security Support Provider","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Security Support Provider","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Group Policy Preferences",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Group Policy Preferences","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Group Policy Preferences","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Group Policy Preferences","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Group Policy Preferences","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Group Policy Preferences","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Kernel Modules and Extensions",Any,0,0,3,3,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Kernel Modules and Extensions","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Kernel Modules and Extensions","Enterprise Security Content Update",0,0,3,3,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Kernel Modules and Extensions","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Kernel Modules and Extensions","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Kernel Modules and Extensions","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Container API",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Container API","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Container API","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Container API","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Container API","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Unsecured Credentials","Container API","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Re-opened Applications",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Re-opened Applications","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Re-opened Applications","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Re-opened Applications","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Re-opened Applications","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Re-opened Applications","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","LSASS Driver",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","LSASS Driver","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","LSASS Driver","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","LSASS Driver","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","LSASS Driver","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","LSASS Driver","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Shortcut Modification",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Shortcut Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Shortcut Modification","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Shortcut Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Shortcut Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Shortcut Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Port Monitors",Any,0,0,1,1,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Port Monitors","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Port Monitors","Enterprise Security Content Update",0,0,1,1,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Port Monitors","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Port Monitors","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Port Monitors","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Plist Modification",Any,0,0,1,1,102,17,0,"::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Plist Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Plist Modification","Enterprise Security Content Update",0,0,1,1,102,17,0,"::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Plist Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Plist Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Plist Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Print Processors",Any,0,0,7,7,102,17,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0,Microsoft Windows Print Service::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Print Processors","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Print Processors","Enterprise Security Content Update",0,0,7,7,102,17,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0,Microsoft Windows Print Service::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Print Processors","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Print Processors","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Print Processors","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","XDG Autostart Entries",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","XDG Autostart Entries","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","XDG Autostart Entries","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","XDG Autostart Entries","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","XDG Autostart Entries","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","XDG Autostart Entries","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Active Setup",Any,0,0,1,1,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Active Setup","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Active Setup","Enterprise Security Content Update",0,0,1,1,102,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Active Setup","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Active Setup","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Active Setup","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Login Items",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Login Items","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Login Items","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Login Items","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Login Items","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Boot or Logon Autostart Execution","Login Items","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Video Capture","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Video Capture","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Video Capture","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Video Capture","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Video Capture","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Video Capture","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Traffic Signaling","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Traffic Signaling","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Traffic Signaling","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Traffic Signaling","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Traffic Signaling","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Traffic Signaling","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Deobfuscate/Decode Files or Information","-",Any,0,0,2,0,154,2,0,"Endpoint Detection and Response::1,Windows Security::1",No "Enterprise ATT&CK","Defense Evasion","Deobfuscate/Decode Files or Information","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Deobfuscate/Decode Files or Information","-","Enterprise Security Content Update",0,0,2,0,154,2,0,"Endpoint Detection and Response::1,Windows Security::1",No "Enterprise ATT&CK","Defense Evasion","Deobfuscate/Decode Files or Information","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Deobfuscate/Decode Files or Information","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Deobfuscate/Decode Files or Information","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","-",Any,0,0,4,0,118,34,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","-","Splunk Security Essentials",0,0,4,0,118,34,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Container Administration Command","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Container Administration Command","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Container Administration Command","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Container Administration Command","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Container Administration Command","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Container Administration Command","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Account Access Removal","-",Any,0,0,4,0,51,4,1,"Change Events Data::1,Endpoint Detection and Response::3",No "Enterprise ATT&CK",Impact,"Account Access Removal","-","Custom Content",0,0,1,0,51,4,1,"Change Events Data::1",No "Enterprise ATT&CK",Impact,"Account Access Removal","-","Enterprise Security Content Update",0,0,3,0,51,4,0,"Endpoint Detection and Response::3",No "Enterprise ATT&CK",Impact,"Account Access Removal","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Account Access Removal","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Account Access Removal","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Server Software Component","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Server Software Component","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Server Software Component","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Server Software Component","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Server Software Component","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Server Software Component","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","-",Any,0,0,2,0,102,23,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","-","Enterprise Security Content Update",0,0,2,0,102,23,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Traffic Signaling","Port Knocking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Traffic Signaling","Port Knocking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Traffic Signaling","Port Knocking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Traffic Signaling","Port Knocking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Traffic Signaling","Port Knocking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Traffic Signaling","Port Knocking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores",Keychain,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores",Keychain,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores",Keychain,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores",Keychain,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores",Keychain,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores",Keychain,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Local Groups",Any,0,0,11,11,118,34,0,"Endpoint Detection and Response::4,Windows Security::0",Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Local Groups","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Local Groups","Enterprise Security Content Update",0,0,11,11,118,34,0,"Endpoint Detection and Response::4,Windows Security::0",Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Local Groups","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Local Groups","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Local Groups","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","SQL Stored Procedures",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","SQL Stored Procedures","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","SQL Stored Procedures","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","SQL Stored Procedures","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","SQL Stored Procedures","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","SQL Stored Procedures","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Setuid and Setgid",Any,0,0,3,3,102,23,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Setuid and Setgid","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Setuid and Setgid","Enterprise Security Content Update",0,0,3,3,102,23,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Setuid and Setgid","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Setuid and Setgid","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Setuid and Setgid","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Securityd Memory",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Securityd Memory","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Securityd Memory","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Securityd Memory","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Securityd Memory","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Securityd Memory","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Domain Groups",Any,0,0,18,18,118,34,0,"Endpoint Detection and Response::4,Windows Security::0",Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Domain Groups","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Domain Groups","Enterprise Security Content Update",0,0,18,18,118,34,0,"Endpoint Detection and Response::4,Windows Security::0",Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Domain Groups","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Domain Groups","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Domain Groups","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Transport Agent",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Transport Agent","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Transport Agent","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Transport Agent","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Transport Agent","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Transport Agent","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Bypass User Account Control",Any,0,0,11,11,102,23,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Bypass User Account Control","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Bypass User Account Control","Enterprise Security Content Update",0,0,11,11,102,23,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Bypass User Account Control","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Bypass User Account Control","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Bypass User Account Control","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Credentials from Web Browsers",Any,0,0,3,3,35,3,0,"Endpoint Detection and Response::0,Windows Security::0",Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Credentials from Web Browsers","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Credentials from Web Browsers","Enterprise Security Content Update",0,0,3,3,35,3,0,"Endpoint Detection and Response::0,Windows Security::0",Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Credentials from Web Browsers","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Credentials from Web Browsers","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Credentials from Web Browsers","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Cloud Groups",Any,0,0,1,1,118,34,0,"AWS::0",Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Cloud Groups","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Cloud Groups","Enterprise Security Content Update",0,0,1,1,118,34,0,"AWS::0",Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Cloud Groups","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Cloud Groups","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Permission Groups Discovery","Cloud Groups","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Web Shell",Any,0,0,6,6,100,6,0,"Endpoint Detection and Response::0,Web Proxy::0,Web Server::0",Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Web Shell","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Web Shell","Enterprise Security Content Update",0,0,6,6,100,6,0,"Endpoint Detection and Response::0,Web Proxy::0,Web Server::0",Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Web Shell","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Web Shell","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","Web Shell","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Sudo and Sudo Caching",Any,0,0,7,7,102,23,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Enterprise Security Content Update",0,0,7,7,102,23,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Windows Credential Manager",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Windows Credential Manager","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Windows Credential Manager","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Windows Credential Manager","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Windows Credential Manager","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Windows Credential Manager","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","IIS Components",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","IIS Components","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","IIS Components","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","IIS Components","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","IIS Components","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Server Software Component","IIS Components","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Elevated Execution with Prompt",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Password Managers",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Password Managers","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Password Managers","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Password Managers","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Password Managers","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Credentials from Password Stores","Password Managers","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Browser Session Hijacking","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Browser Session Hijacking","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Browser Session Hijacking","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Browser Session Hijacking","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Browser Session Hijacking","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Browser Session Hijacking","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Remote Access Software","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Remote Access Software","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Remote Access Software","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Remote Access Software","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Remote Access Software","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Remote Access Software","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Modify Authentication Process","-",Any,0,0,2,0,35,2,0,"Azure::6",No "Enterprise ATT&CK","Credential Access","Modify Authentication Process","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Modify Authentication Process","-","Enterprise Security Content Update",0,0,2,0,35,2,0,"Azure::6",No "Enterprise ATT&CK","Credential Access","Modify Authentication Process","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Modify Authentication Process","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Modify Authentication Process","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","BITS Jobs","-",Any,0,0,3,0,154,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Defense Evasion","BITS Jobs","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","BITS Jobs","-","Enterprise Security Content Update",0,0,3,0,154,3,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Defense Evasion","BITS Jobs","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","BITS Jobs","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","BITS Jobs","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Information Discovery","-",Any,0,0,7,0,118,7,0,"Endpoint Detection and Response::6,Web Server::1",No "Enterprise ATT&CK",Discovery,"System Information Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Information Discovery","-","Enterprise Security Content Update",0,0,3,0,118,7,0,"Endpoint Detection and Response::6,Web Server::1",No "Enterprise ATT&CK",Discovery,"System Information Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Information Discovery","-","Splunk Security Essentials",0,0,4,0,118,7,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK",Discovery,"System Information Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Deploy Container","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Deploy Container","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Deploy Container","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Deploy Container","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Deploy Container","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Execution,"Deploy Container","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Disk Wipe","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Disk Wipe","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Disk Wipe","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Disk Wipe","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Disk Wipe","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Disk Wipe","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Implant Internal Image","-",Any,0,0,2,0,100,2,0,"Cloud Infrastructure Data::2",No "Enterprise ATT&CK",Persistence,"Implant Internal Image","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Implant Internal Image","-","Enterprise Security Content Update",0,0,2,0,100,2,0,"Cloud Infrastructure Data::2",No "Enterprise ATT&CK",Persistence,"Implant Internal Image","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Implant Internal Image","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Implant Internal Image","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Domain Controller Authentication",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Domain Controller Authentication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Domain Controller Authentication","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Domain Controller Authentication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Domain Controller Authentication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Domain Controller Authentication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Content Wipe",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Content Wipe","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Content Wipe","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Content Wipe","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Content Wipe","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Content Wipe","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Search Order Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Search Order Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Search Order Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Search Order Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Search Order Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Search Order Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Password Filter DLL",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Password Filter DLL","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Password Filter DLL","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Password Filter DLL","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Password Filter DLL","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Password Filter DLL","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Structure Wipe",Any,0,0,2,2,51,2,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Structure Wipe","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Structure Wipe","Enterprise Security Content Update",0,0,2,2,51,2,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Structure Wipe","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Structure Wipe","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Disk Wipe","Disk Structure Wipe","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Side-Loading",Any,0,0,2,2,102,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Side-Loading","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Side-Loading","Enterprise Security Content Update",0,0,2,2,102,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Side-Loading","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Side-Loading","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","DLL Side-Loading","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Pluggable Authentication Modules",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Pluggable Authentication Modules","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Pluggable Authentication Modules","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Pluggable Authentication Modules","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Pluggable Authentication Modules","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Pluggable Authentication Modules","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dylib Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dylib Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dylib Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dylib Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dylib Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dylib Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Network Device Authentication",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Network Device Authentication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Network Device Authentication","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Network Device Authentication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Network Device Authentication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Modify Authentication Process","Network Device Authentication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Executable Installer File Permissions Weakness",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Executable Installer File Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Executable Installer File Permissions Weakness","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dynamic Linker Hijacking",Any,0,0,1,1,102,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dynamic Linker Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dynamic Linker Hijacking","Enterprise Security Content Update",0,0,1,1,102,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dynamic Linker Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dynamic Linker Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Dynamic Linker Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by PATH Environment Variable",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by PATH Environment Variable","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by PATH Environment Variable","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Search Order Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Search Order Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Search Order Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Unquoted Path",Any,0,0,1,1,102,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Unquoted Path","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Unquoted Path","Enterprise Security Content Update",0,0,1,1,102,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Unquoted Path","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Unquoted Path","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Path Interception by Unquoted Path","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services File Permissions Weakness",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services File Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services File Permissions Weakness","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services File Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services File Permissions Weakness","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services File Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services Registry Permissions Weakness",Any,0,0,4,4,102,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services Registry Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services Registry Permissions Weakness","Enterprise Security Content Update",0,0,2,4,102,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services Registry Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services Registry Permissions Weakness","Splunk Security Essentials",0,0,2,4,102,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","Services Registry Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","COR_PROFILER",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","COR_PROFILER","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","COR_PROFILER","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","COR_PROFILER","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","COR_PROFILER","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Privilege Escalation","Hijack Execution Flow","COR_PROFILER","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories","-",Any,0,0,13,0,30,13,0,"Cerner::1,Network Communication::2,SFDC::5,Web Server::4,Windows Security::1",No "Enterprise ATT&CK",Collection,"Data from Information Repositories","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Information Repositories","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Information Repositories","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Information Repositories","-","Splunk Security Essentials",0,0,11,0,30,13,0,"Cerner::1,SFDC::5,Web Server::4,Windows Security::1",No "Enterprise ATT&CK",Collection,"Data from Information Repositories","-","Splunk User Behavior Analytics",0,0,2,0,30,13,0,"Network Communication::2",No "Enterprise ATT&CK","Command and Control","Dynamic Resolution","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Dynamic Resolution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Dynamic Resolution","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Dynamic Resolution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Dynamic Resolution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Dynamic Resolution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","-",Any,0,0,1,0,35,4,0,"Cisco IOS::2",No "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","-","Enterprise Security Content Update",0,0,1,0,35,4,0,"Cisco IOS::2",No "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Indirect Command Execution","-",Any,0,0,2,0,154,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Defense Evasion","Indirect Command Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Indirect Command Execution","-","Enterprise Security Content Update",0,0,2,0,154,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Defense Evasion","Indirect Command Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Indirect Command Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Indirect Command Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"File and Directory Discovery","-",Any,0,0,1,0,118,1,0,"::1",No "Enterprise ATT&CK",Discovery,"File and Directory Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"File and Directory Discovery","-","Enterprise Security Content Update",0,0,1,0,118,1,0,"::1",No "Enterprise ATT&CK",Discovery,"File and Directory Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"File and Directory Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"File and Directory Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Manipulation","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Manipulation","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Manipulation","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Manipulation","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Manipulation","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Impact,"Data Manipulation","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Pre-OS Boot","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Pre-OS Boot","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Pre-OS Boot","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Pre-OS Boot","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Pre-OS Boot","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Pre-OS Boot","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Escape to Host","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Escape to Host","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Escape to Host","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Escape to Host","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Escape to Host","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Privilege Escalation","Escape to Host","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Information Repositories",Confluence,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Confluence,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Confluence,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Confluence,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Confluence,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Confluence,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Fast Flux DNS",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Fast Flux DNS","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Fast Flux DNS","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Fast Flux DNS","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Fast Flux DNS","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Fast Flux DNS","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Stored Data Manipulation",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Stored Data Manipulation","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Stored Data Manipulation","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Stored Data Manipulation","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Stored Data Manipulation","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Stored Data Manipulation","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","System Firmware",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","System Firmware","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","System Firmware","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","System Firmware","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","System Firmware","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","System Firmware","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Sharepoint,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Sharepoint,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Sharepoint,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Sharepoint,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Sharepoint,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories",Sharepoint,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Domain Generation Algorithms",Any,0,0,2,2,48,2,0,"DNS::0",Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Domain Generation Algorithms","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Domain Generation Algorithms","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Domain Generation Algorithms","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Domain Generation Algorithms","Splunk Security Essentials",0,0,1,2,48,2,0,"DNS::0",Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","Domain Generation Algorithms","Splunk User Behavior Analytics",0,0,1,2,48,2,0,"DNS::0",Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","ARP Cache Poisoning",Any,0,0,3,3,35,4,0,"Cisco IOS::2",Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","ARP Cache Poisoning","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","ARP Cache Poisoning","Enterprise Security Content Update",0,0,3,3,35,4,0,"Cisco IOS::2",Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","ARP Cache Poisoning","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","ARP Cache Poisoning","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Adversary-in-the-Middle","ARP Cache Poisoning","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Transmitted Data Manipulation",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Transmitted Data Manipulation","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Transmitted Data Manipulation","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Transmitted Data Manipulation","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Transmitted Data Manipulation","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Transmitted Data Manipulation","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","Component Firmware",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","Component Firmware","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","Component Firmware","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","Component Firmware","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","Component Firmware","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","Component Firmware","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories","Code Repositories",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories","Code Repositories","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories","Code Repositories","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories","Code Repositories","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories","Code Repositories","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Information Repositories","Code Repositories","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","DNS Calculation",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","DNS Calculation","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","DNS Calculation","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","DNS Calculation","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","DNS Calculation","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Dynamic Resolution","DNS Calculation","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Runtime Data Manipulation",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Runtime Data Manipulation","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Runtime Data Manipulation","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Runtime Data Manipulation","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Runtime Data Manipulation","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Impact,"Data Manipulation","Runtime Data Manipulation","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",Bootkit,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",Bootkit,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",Bootkit,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",Bootkit,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",Bootkit,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",Bootkit,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",ROMMONkit,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",ROMMONkit,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",ROMMONkit,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",ROMMONkit,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",ROMMONkit,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot",ROMMONkit,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","TFTP Boot",Any,0,0,1,1,100,1,0,"Network Communication::0",Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","TFTP Boot","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","TFTP Boot","Enterprise Security Content Update",0,0,1,1,100,1,0,"Network Communication::0",Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","TFTP Boot","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","TFTP Boot","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Pre-OS Boot","TFTP Boot","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Cloud Storage Object","-",Any,0,0,6,0,30,6,0,"AWS::4,GCP::2",No "Enterprise ATT&CK",Collection,"Data from Cloud Storage Object","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Cloud Storage Object","-","Enterprise Security Content Update",0,0,6,0,30,6,0,"AWS::4,GCP::2",No "Enterprise ATT&CK",Collection,"Data from Cloud Storage Object","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Cloud Storage Object","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Cloud Storage Object","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Non-Standard Port","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Non-Standard Port","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Non-Standard Port","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Non-Standard Port","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Non-Standard Port","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Non-Standard Port","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","-",Any,0,0,4,0,35,15,0,"Windows Security::4",No "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","-","Enterprise Security Content Update",0,0,4,0,35,15,0,"Windows Security::4",No "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Account Discovery","-",Any,0,0,5,0,118,33,0,"Endpoint Detection and Response::4,Windows Security::1",No "Enterprise ATT&CK",Discovery,"Account Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Account Discovery","-","Enterprise Security Content Update",0,0,1,0,118,33,0,"Windows Security::1",No "Enterprise ATT&CK",Discovery,"Account Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Account Discovery","-","Splunk Security Essentials",0,0,4,0,118,33,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK",Discovery,"Account Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Create or Modify System Process","-",Any,0,0,3,0,100,25,0,"Endpoint Detection and Response::4,Microsoft System EventLog::2",No "Enterprise ATT&CK",Persistence,"Create or Modify System Process","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Create or Modify System Process","-","Enterprise Security Content Update",0,0,3,0,100,25,0,"Endpoint Detection and Response::4,Microsoft System EventLog::2",No "Enterprise ATT&CK",Persistence,"Create or Modify System Process","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Create or Modify System Process","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Create or Modify System Process","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Golden Ticket",Any,0,0,1,1,35,15,0,"Windows Security::4",Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Golden Ticket","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Golden Ticket","Enterprise Security Content Update",0,0,1,1,35,15,0,"Windows Security::4",Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Golden Ticket","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Golden Ticket","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Golden Ticket","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","Port Knocking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","Port Knocking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","Port Knocking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","Port Knocking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","Port Knocking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Traffic Signaling","Port Knocking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Local Account",Any,0,0,11,11,118,33,0,"Endpoint Detection and Response::4,Windows Security::1",Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Local Account","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Local Account","Enterprise Security Content Update",0,0,11,11,118,33,0,"Endpoint Detection and Response::4,Windows Security::1",Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Local Account","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Local Account","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Local Account","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Agent",Any,0,0,2,2,100,25,0,"Endpoint Detection and Response::4,OSQuery::0",Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Agent","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Agent","Enterprise Security Content Update",0,0,2,2,100,25,0,"Endpoint Detection and Response::4,OSQuery::0",Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Agent","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Agent","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Agent","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Silver Ticket",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Silver Ticket","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Silver Ticket","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Silver Ticket","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Silver Ticket","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","Silver Ticket","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Domain Account",Any,0,0,17,17,118,33,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0,Windows Security::1",Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Domain Account","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Domain Account","Enterprise Security Content Update",0,0,17,17,118,33,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0,Windows Security::1",Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Domain Account","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Domain Account","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Domain Account","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Systemd Service",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Systemd Service","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Systemd Service","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Systemd Service","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Systemd Service","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Systemd Service","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets",Kerberoasting,Any,0,0,5,5,35,15,0,"Endpoint Detection and Response::0,Windows Security::4",Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets",Kerberoasting,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets",Kerberoasting,"Enterprise Security Content Update",0,0,5,5,35,15,0,"Endpoint Detection and Response::0,Windows Security::4",Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets",Kerberoasting,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets",Kerberoasting,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets",Kerberoasting,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Email Account",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Email Account","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Email Account","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Email Account","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Email Account","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Email Account","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Windows Service",Any,0,0,20,20,100,25,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0,Microsoft System EventLog::2",Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Windows Service","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Windows Service","Enterprise Security Content Update",0,0,12,20,100,25,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0,Microsoft System EventLog::2",Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Windows Service","Splunk App for Enterprise Security",0,0,4,20,100,25,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Windows Service","Splunk Security Essentials",0,0,4,20,100,25,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Windows Service","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","AS-REP Roasting",Any,0,0,5,5,35,15,0,"Endpoint Detection and Response::0,Windows Security::4",Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","AS-REP Roasting","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","AS-REP Roasting","Enterprise Security Content Update",0,0,5,5,35,15,0,"Endpoint Detection and Response::0,Windows Security::4",Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","AS-REP Roasting","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","AS-REP Roasting","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Steal or Forge Kerberos Tickets","AS-REP Roasting","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Cloud Account",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Cloud Account","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Cloud Account","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Cloud Account","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Cloud Account","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Account Discovery","Cloud Account","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Daemon",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Daemon","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Daemon","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Daemon","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Daemon","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Create or Modify System Process","Launch Daemon","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","-",Any,0,0,1,0,30,4,0,"Cisco IOS::2",No "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","-","Enterprise Security Content Update",0,0,1,0,30,4,0,"Cisco IOS::2",No "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Protocol Tunneling","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Protocol Tunneling","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Protocol Tunneling","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Protocol Tunneling","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Protocol Tunneling","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Protocol Tunneling","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forge Web Credentials","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forge Web Credentials","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forge Web Credentials","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forge Web Credentials","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forge Web Credentials","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Credential Access","Forge Web Credentials","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Rogue Domain Controller","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Rogue Domain Controller","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Rogue Domain Controller","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Rogue Domain Controller","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Rogue Domain Controller","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Rogue Domain Controller","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Peripheral Device Discovery","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Peripheral Device Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Peripheral Device Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Peripheral Device Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Peripheral Device Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Peripheral Device Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Event Triggered Execution","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Event Triggered Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Event Triggered Execution","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Event Triggered Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Event Triggered Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Event Triggered Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","LLMNR/NBT-NS Poisoning and SMB Relay","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","Web Cookies",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","Web Cookies","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","Web Cookies","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","Web Cookies","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","Web Cookies","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","Web Cookies","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Change Default File Association",Any,0,0,2,2,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Change Default File Association","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Change Default File Association","Enterprise Security Content Update",0,0,2,2,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Change Default File Association","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Change Default File Association","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Change Default File Association","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","ARP Cache Poisoning",Any,0,0,3,3,30,4,0,"Cisco IOS::2",Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","ARP Cache Poisoning","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","ARP Cache Poisoning","Enterprise Security Content Update",0,0,3,3,30,4,0,"Cisco IOS::2",Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","ARP Cache Poisoning","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","ARP Cache Poisoning","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Adversary-in-the-Middle","ARP Cache Poisoning","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","SAML Tokens",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","SAML Tokens","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","SAML Tokens","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","SAML Tokens","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","SAML Tokens","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Credential Access","Forge Web Credentials","SAML Tokens","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Screensaver,Any,0,0,1,1,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Screensaver,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Screensaver,"Enterprise Security Content Update",0,0,1,1,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Screensaver,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Screensaver,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Screensaver,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Windows Management Instrumentation Event Subscription",Any,0,0,2,2,100,13,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Windows Management Instrumentation Event Subscription","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Windows Management Instrumentation Event Subscription","Enterprise Security Content Update",0,0,2,2,100,13,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Windows Management Instrumentation Event Subscription","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Windows Management Instrumentation Event Subscription","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Windows Management Instrumentation Event Subscription","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Unix Shell Configuration Modification",Any,0,0,2,2,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Unix Shell Configuration Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Unix Shell Configuration Modification","Enterprise Security Content Update",0,0,2,2,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Unix Shell Configuration Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Unix Shell Configuration Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Unix Shell Configuration Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Trap,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Trap,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Trap,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Trap,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Trap,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Trap,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","LC_LOAD_DYLIB Addition",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","LC_LOAD_DYLIB Addition","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","LC_LOAD_DYLIB Addition","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","LC_LOAD_DYLIB Addition","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","LC_LOAD_DYLIB Addition","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","LC_LOAD_DYLIB Addition","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Netsh Helper DLL",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Netsh Helper DLL","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Netsh Helper DLL","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Netsh Helper DLL","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Netsh Helper DLL","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Netsh Helper DLL","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Accessibility Features",Any,0,0,1,1,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Accessibility Features","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Accessibility Features","Enterprise Security Content Update",0,0,1,1,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Accessibility Features","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Accessibility Features","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Accessibility Features","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppCert DLLs",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppCert DLLs","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppCert DLLs","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppCert DLLs","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppCert DLLs","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppCert DLLs","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppInit DLLs",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppInit DLLs","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppInit DLLs","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppInit DLLs","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppInit DLLs","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","AppInit DLLs","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Application Shimming",Any,0,0,3,3,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Application Shimming","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Application Shimming","Enterprise Security Content Update",0,0,3,3,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Application Shimming","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Application Shimming","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Application Shimming","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Image File Execution Options Injection",Any,0,0,1,1,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Image File Execution Options Injection","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Image File Execution Options Injection","Enterprise Security Content Update",0,0,1,1,100,13,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Image File Execution Options Injection","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Image File Execution Options Injection","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Image File Execution Options Injection","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","PowerShell Profile",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","PowerShell Profile","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","PowerShell Profile","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","PowerShell Profile","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","PowerShell Profile","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","PowerShell Profile","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Emond,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Emond,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Emond,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Emond,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Emond,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution",Emond,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Component Object Model Hijacking",Any,0,0,1,1,100,13,0,"Windows Security::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Component Object Model Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Component Object Model Hijacking","Enterprise Security Content Update",0,0,1,1,100,13,0,"Windows Security::0",Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Component Object Model Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Component Object Model Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Event Triggered Execution","Component Object Model Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Archive Collected Data","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Archive Collected Data","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Archive Collected Data","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Archive Collected Data","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Archive Collected Data","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Encrypted Channel","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Encrypted Channel","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Encrypted Channel","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Encrypted Channel","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Encrypted Channel","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Command and Control","Encrypted Channel","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Exploitation for Defense Evasion","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Exploitation for Defense Evasion","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Exploitation for Defense Evasion","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Exploitation for Defense Evasion","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Exploitation for Defense Evasion","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Exploitation for Defense Evasion","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Time Discovery","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Time Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Time Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Time Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Time Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Time Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Utility",Any,0,0,5,5,30,5,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Utility","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Utility","Enterprise Security Content Update",0,0,5,5,30,5,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Utility","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Utility","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Utility","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Symmetric Cryptography",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Symmetric Cryptography","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Symmetric Cryptography","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Symmetric Cryptography","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Symmetric Cryptography","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Symmetric Cryptography","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder",Any,0,0,3,3,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Enterprise Security Content Update",0,0,2,3,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Splunk Security Essentials",0,0,1,3,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Registry Run Keys / Startup Folder","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Library",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Library","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Library","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Library","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Library","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Library","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Asymmetric Cryptography",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Asymmetric Cryptography","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Asymmetric Cryptography","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Asymmetric Cryptography","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Asymmetric Cryptography","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Command and Control","Encrypted Channel","Asymmetric Cryptography","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Authentication Package",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Authentication Package","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Authentication Package","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Authentication Package","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Authentication Package","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Authentication Package","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Custom Method",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Custom Method","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Custom Method","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Custom Method","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Custom Method","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Archive Collected Data","Archive via Custom Method","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Time Providers",Any,0,0,1,1,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Time Providers","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Time Providers","Enterprise Security Content Update",0,0,1,1,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Time Providers","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Time Providers","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Time Providers","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Winlogon Helper DLL",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Winlogon Helper DLL","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Winlogon Helper DLL","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Winlogon Helper DLL","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Winlogon Helper DLL","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Winlogon Helper DLL","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Security Support Provider",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Security Support Provider","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Security Support Provider","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Security Support Provider","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Security Support Provider","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Security Support Provider","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Kernel Modules and Extensions",Any,0,0,3,3,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Kernel Modules and Extensions","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Kernel Modules and Extensions","Enterprise Security Content Update",0,0,3,3,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Kernel Modules and Extensions","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Kernel Modules and Extensions","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Kernel Modules and Extensions","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Re-opened Applications",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Re-opened Applications","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Re-opened Applications","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Re-opened Applications","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Re-opened Applications","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Re-opened Applications","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","LSASS Driver",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","LSASS Driver","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","LSASS Driver","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","LSASS Driver","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","LSASS Driver","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","LSASS Driver","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Shortcut Modification",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Shortcut Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Shortcut Modification","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Shortcut Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Shortcut Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Shortcut Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Port Monitors",Any,0,0,1,1,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Port Monitors","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Port Monitors","Enterprise Security Content Update",0,0,1,1,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Port Monitors","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Port Monitors","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Port Monitors","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Plist Modification",Any,0,0,1,1,100,17,0,"::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Plist Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Plist Modification","Enterprise Security Content Update",0,0,1,1,100,17,0,"::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Plist Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Plist Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Plist Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Print Processors",Any,0,0,7,7,100,17,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0,Microsoft Windows Print Service::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Print Processors","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Print Processors","Enterprise Security Content Update",0,0,7,7,100,17,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0,Microsoft Windows Print Service::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Print Processors","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Print Processors","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Print Processors","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","XDG Autostart Entries",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","XDG Autostart Entries","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","XDG Autostart Entries","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","XDG Autostart Entries","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","XDG Autostart Entries","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","XDG Autostart Entries","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Active Setup",Any,0,0,1,1,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Active Setup","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Active Setup","Enterprise Security Content Update",0,0,1,1,100,17,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Active Setup","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Active Setup","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Active Setup","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Login Items",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Login Items","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Login Items","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Login Items","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Login Items","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Boot or Logon Autostart Execution","Login Items","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Configuration Repository","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Configuration Repository","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Configuration Repository","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Configuration Repository","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Configuration Repository","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Share Discovery","-",Any,0,0,1,0,118,1,0,"Network Communication::1",No "Enterprise ATT&CK",Discovery,"Network Share Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Share Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Share Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Network Share Discovery","-","Splunk Security Essentials",0,0,1,0,118,1,0,"Network Communication::1",No "Enterprise ATT&CK",Discovery,"Network Share Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Compromise Client Software Binary","-",Any,0,0,2,0,100,2,0,"CircleCI::2",No "Enterprise ATT&CK",Persistence,"Compromise Client Software Binary","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Compromise Client Software Binary","-","Enterprise Security Content Update",0,0,2,0,100,2,0,"CircleCI::2",No "Enterprise ATT&CK",Persistence,"Compromise Client Software Binary","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Compromise Client Software Binary","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Compromise Client Software Binary","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Collection,"Data from Configuration Repository","SNMP (MIB Dump)",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","SNMP (MIB Dump)","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","SNMP (MIB Dump)","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","SNMP (MIB Dump)","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","SNMP (MIB Dump)","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","SNMP (MIB Dump)","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution",PubPrn,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution",PubPrn,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution",PubPrn,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution",PubPrn,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution",PubPrn,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Script Proxy Execution",PubPrn,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","Network Device Configuration Dump",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","Network Device Configuration Dump","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","Network Device Configuration Dump","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","Network Device Configuration Dump","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","Network Device Configuration Dump","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Collection,"Data from Configuration Repository","Network Device Configuration Dump","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","-",Any,0,0,2,0,154,53,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","-","Enterprise Security Content Update",0,0,2,0,154,53,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Password Policy Discovery","-",Any,0,0,7,0,118,7,0,"Endpoint Detection and Response::4,Windows Security::3",No "Enterprise ATT&CK",Discovery,"Password Policy Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Password Policy Discovery","-","Enterprise Security Content Update",0,0,7,0,118,7,0,"Endpoint Detection and Response::4,Windows Security::3",No "Enterprise ATT&CK",Discovery,"Password Policy Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Password Policy Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Password Policy Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Modify Authentication Process","-",Any,0,0,2,0,100,2,0,"Azure::6",No "Enterprise ATT&CK",Persistence,"Modify Authentication Process","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Modify Authentication Process","-","Enterprise Security Content Update",0,0,2,0,100,2,0,"Azure::6",No "Enterprise ATT&CK",Persistence,"Modify Authentication Process","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Modify Authentication Process","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Modify Authentication Process","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Compiled HTML File",Any,0,0,4,4,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Compiled HTML File","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Compiled HTML File","Enterprise Security Content Update",0,0,4,4,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Compiled HTML File","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Compiled HTML File","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Compiled HTML File","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Domain Controller Authentication",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Domain Controller Authentication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Domain Controller Authentication","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Domain Controller Authentication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Domain Controller Authentication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Domain Controller Authentication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Control Panel",Any,0,0,1,1,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Control Panel","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Control Panel","Enterprise Security Content Update",0,0,1,1,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Control Panel","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Control Panel","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Control Panel","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Password Filter DLL",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Password Filter DLL","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Password Filter DLL","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Password Filter DLL","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Password Filter DLL","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Password Filter DLL","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",CMSTP,Any,0,0,3,3,154,53,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",CMSTP,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",CMSTP,"Enterprise Security Content Update",0,0,3,3,154,53,0,"Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",CMSTP,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",CMSTP,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",CMSTP,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Pluggable Authentication Modules",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Pluggable Authentication Modules","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Pluggable Authentication Modules","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Pluggable Authentication Modules","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Pluggable Authentication Modules","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Pluggable Authentication Modules","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",InstallUtil,Any,0,0,7,7,154,53,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::0,Network Communication::0",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",InstallUtil,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",InstallUtil,"Enterprise Security Content Update",0,0,7,7,154,53,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::0,Network Communication::0",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",InstallUtil,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",InstallUtil,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",InstallUtil,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Network Device Authentication",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Network Device Authentication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Network Device Authentication","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Network Device Authentication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Network Device Authentication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Modify Authentication Process","Network Device Authentication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mshta,Any,0,0,8,8,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mshta,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mshta,"Enterprise Security Content Update",0,0,8,8,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mshta,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mshta,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mshta,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Msiexec,Any,0,0,1,1,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Msiexec,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Msiexec,"Enterprise Security Content Update",0,0,1,1,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Msiexec,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Msiexec,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Msiexec,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Odbcconf,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Odbcconf,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Odbcconf,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Odbcconf,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Odbcconf,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Odbcconf,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Regsvcs/Regasm",Any,0,0,6,6,154,53,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Regsvcs/Regasm","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Regsvcs/Regasm","Enterprise Security Content Update",0,0,6,6,154,53,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Regsvcs/Regasm","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Regsvcs/Regasm","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution","Regsvcs/Regasm","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Regsvr32,Any,0,0,5,5,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Regsvr32,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Regsvr32,"Enterprise Security Content Update",0,0,5,5,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Regsvr32,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Regsvr32,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Regsvr32,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Rundll32,Any,0,0,15,15,154,53,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::0,Network Communication::0",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Rundll32,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Rundll32,"Enterprise Security Content Update",0,0,15,15,154,53,0,"Endpoint Detection and Response::2,Microsoft Sysmon Logs::0,Network Communication::0",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Rundll32,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Rundll32,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Rundll32,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Verclsid,Any,0,0,1,1,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Verclsid,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Verclsid,"Enterprise Security Content Update",0,0,1,1,154,53,0,"Endpoint Detection and Response::2",Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Verclsid,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Verclsid,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Verclsid,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mavinject,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mavinject,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mavinject,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mavinject,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mavinject,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",Mavinject,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",MMC,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",MMC,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",MMC,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",MMC,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",MMC,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Signed Binary Proxy Execution",MMC,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","XSL Script Processing","-",Any,0,0,2,0,154,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Defense Evasion","XSL Script Processing","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","XSL Script Processing","-","Enterprise Security Content Update",0,0,2,0,154,2,0,"Endpoint Detection and Response::2",No "Enterprise ATT&CK","Defense Evasion","XSL Script Processing","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","XSL Script Processing","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","XSL Script Processing","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Browser Bookmark Discovery","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Browser Bookmark Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Browser Bookmark Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Browser Bookmark Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Browser Bookmark Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Browser Bookmark Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Search Order Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Search Order Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Search Order Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Search Order Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Search Order Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Search Order Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Side-Loading",Any,0,0,2,2,100,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Side-Loading","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Side-Loading","Enterprise Security Content Update",0,0,2,2,100,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Side-Loading","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Side-Loading","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","DLL Side-Loading","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dylib Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dylib Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dylib Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dylib Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dylib Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dylib Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Executable Installer File Permissions Weakness",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Executable Installer File Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Executable Installer File Permissions Weakness","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dynamic Linker Hijacking",Any,0,0,1,1,100,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dynamic Linker Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dynamic Linker Hijacking","Enterprise Security Content Update",0,0,1,1,100,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dynamic Linker Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dynamic Linker Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Dynamic Linker Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by PATH Environment Variable",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by PATH Environment Variable","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by PATH Environment Variable","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Search Order Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Search Order Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Search Order Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Unquoted Path",Any,0,0,1,1,100,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Unquoted Path","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Unquoted Path","Enterprise Security Content Update",0,0,1,1,100,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Unquoted Path","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Unquoted Path","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Path Interception by Unquoted Path","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services File Permissions Weakness",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services File Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services File Permissions Weakness","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services File Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services File Permissions Weakness","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services File Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services Registry Permissions Weakness",Any,0,0,4,4,100,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services Registry Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services Registry Permissions Weakness","Enterprise Security Content Update",0,0,2,4,100,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services Registry Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services Registry Permissions Weakness","Splunk Security Essentials",0,0,2,4,100,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","Services Registry Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","COR_PROFILER",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","COR_PROFILER","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","COR_PROFILER","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","COR_PROFILER","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","COR_PROFILER","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Persistence,"Hijack Execution Flow","COR_PROFILER","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Template Injection","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Template Injection","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Template Injection","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Template Injection","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Template Injection","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Template Injection","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Domain Trust Discovery","-",Any,0,0,11,0,118,11,0,"Endpoint Detection and Response::9,Windows Security::2",No "Enterprise ATT&CK",Discovery,"Domain Trust Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Domain Trust Discovery","-","Enterprise Security Content Update",0,0,11,0,118,11,0,"Endpoint Detection and Response::9,Windows Security::2",No "Enterprise ATT&CK",Discovery,"Domain Trust Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Domain Trust Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Domain Trust Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","-",Any,0,0,6,0,154,8,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","-","Enterprise Security Content Update",0,0,5,0,154,8,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","-","Splunk App for Enterprise Security",0,0,1,0,154,8,0,"Endpoint Detection and Response::6",No "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Windows File and Directory Permissions Modification",Any,0,0,1,1,154,8,0,"Endpoint Detection and Response::6",Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Windows File and Directory Permissions Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Windows File and Directory Permissions Modification","Enterprise Security Content Update",0,0,1,1,154,8,0,"Endpoint Detection and Response::6",Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Windows File and Directory Permissions Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Windows File and Directory Permissions Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Windows File and Directory Permissions Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","System Checks",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","System Checks","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","System Checks","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","System Checks","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","System Checks","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","System Checks","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Linux and Mac File and Directory Permissions Modification",Any,0,0,1,1,154,8,0,"Endpoint Detection and Response::6",Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Linux and Mac File and Directory Permissions Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Linux and Mac File and Directory Permissions Modification","Enterprise Security Content Update",0,0,1,1,154,8,0,"Endpoint Detection and Response::6",Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Linux and Mac File and Directory Permissions Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Linux and Mac File and Directory Permissions Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","File and Directory Permissions Modification","Linux and Mac File and Directory Permissions Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","User Activity Based Checks",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","User Activity Based Checks","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","User Activity Based Checks","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","User Activity Based Checks","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","User Activity Based Checks","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","User Activity Based Checks","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","Time Based Evasion",Any,0,0,1,1,118,1,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","Time Based Evasion","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","Time Based Evasion","Enterprise Security Content Update",0,0,1,1,118,1,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","Time Based Evasion","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","Time Based Evasion","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Virtualization/Sandbox Evasion","Time Based Evasion","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Software Discovery","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Software Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Software Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Software Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Software Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Software Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","Environmental Keying",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","Environmental Keying","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","Environmental Keying","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","Environmental Keying","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","Environmental Keying","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Execution Guardrails","Environmental Keying","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Software Discovery","Security Software Discovery",Any,0,0,2,2,118,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Discovery,"Software Discovery","Security Software Discovery","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Software Discovery","Security Software Discovery","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Software Discovery","Security Software Discovery","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"Software Discovery","Security Software Discovery","Splunk Security Essentials",0,0,2,2,118,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK",Discovery,"Software Discovery","Security Software Discovery","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Discovery","-",Any,0,0,9,0,118,9,0,"AWS::3,Azure::3,GCP::2,Kubernetes::1",No "Enterprise ATT&CK",Discovery,"Cloud Service Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Discovery","-","Enterprise Security Content Update",0,0,7,0,118,9,0,"AWS::3,Azure::3,GCP::2,Kubernetes::1",No "Enterprise ATT&CK",Discovery,"Cloud Service Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Discovery","-","Splunk Security Essentials",0,0,2,0,118,9,0,"Azure::3",No "Enterprise ATT&CK",Discovery,"Cloud Service Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Group Policy Modification",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Group Policy Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Group Policy Modification","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Group Policy Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Group Policy Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Group Policy Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Domain Trust Modification",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Domain Trust Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Domain Trust Modification","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Domain Trust Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Domain Trust Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Domain Policy Modification","Domain Trust Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Dashboard","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Dashboard","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Dashboard","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Dashboard","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Dashboard","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Service Dashboard","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","System Checks",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","System Checks","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","System Checks","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","System Checks","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","System Checks","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","System Checks","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","User Activity Based Checks",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","User Activity Based Checks","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","User Activity Based Checks","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","User Activity Based Checks","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","User Activity Based Checks","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","User Activity Based Checks","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","Time Based Evasion",Any,0,0,1,1,154,1,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","Time Based Evasion","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","Time Based Evasion","Enterprise Security Content Update",0,0,1,1,154,1,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","Time Based Evasion","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","Time Based Evasion","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Virtualization/Sandbox Evasion","Time Based Evasion","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Unused/Unsupported Cloud Regions","-",Any,0,0,8,0,154,8,0,"AWS::4,Authentication::3,Change Events Data::1",No "Enterprise ATT&CK","Defense Evasion","Unused/Unsupported Cloud Regions","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Unused/Unsupported Cloud Regions","-","Enterprise Security Content Update",0,0,8,0,154,8,0,"AWS::4,Authentication::3,Change Events Data::1",No "Enterprise ATT&CK","Defense Evasion","Unused/Unsupported Cloud Regions","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Unused/Unsupported Cloud Regions","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Unused/Unsupported Cloud Regions","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Infrastructure Discovery","-",Any,0,0,4,0,118,4,0,"AWS::2,Azure::2",No "Enterprise ATT&CK",Discovery,"Cloud Infrastructure Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Infrastructure Discovery","-","Enterprise Security Content Update",0,0,2,0,118,4,0,"AWS::2",No "Enterprise ATT&CK",Discovery,"Cloud Infrastructure Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Infrastructure Discovery","-","Splunk Security Essentials",0,0,2,0,118,4,0,"Azure::2",No "Enterprise ATT&CK",Discovery,"Cloud Infrastructure Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Container and Resource Discovery","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Container and Resource Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Container and Resource Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Container and Resource Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Container and Resource Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Container and Resource Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","System Firmware",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","System Firmware","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","System Firmware","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","System Firmware","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","System Firmware","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","System Firmware","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","Component Firmware",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","Component Firmware","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","Component Firmware","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","Component Firmware","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","Component Firmware","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","Component Firmware","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",Bootkit,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",Bootkit,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",Bootkit,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",Bootkit,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",Bootkit,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",Bootkit,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",ROMMONkit,Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",ROMMONkit,"Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",ROMMONkit,"Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",ROMMONkit,"Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",ROMMONkit,"Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot",ROMMONkit,"Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","TFTP Boot",Any,0,0,1,1,154,1,0,"Network Communication::0",Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","TFTP Boot","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","TFTP Boot","Enterprise Security Content Update",0,0,1,1,154,1,0,"Network Communication::0",Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","TFTP Boot","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","TFTP Boot","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Pre-OS Boot","TFTP Boot","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","-",Any,0,0,2,0,154,23,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","-","Enterprise Security Content Update",0,0,2,0,154,23,0,"Endpoint Detection and Response::4",No "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Location Discovery","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Location Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Location Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Location Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Location Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"System Location Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Setuid and Setgid",Any,0,0,3,3,154,23,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Setuid and Setgid","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Setuid and Setgid","Enterprise Security Content Update",0,0,3,3,154,23,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Setuid and Setgid","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Setuid and Setgid","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Setuid and Setgid","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Location Discovery","System Language Discovery",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Location Discovery","System Language Discovery","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Location Discovery","System Language Discovery","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Location Discovery","System Language Discovery","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Location Discovery","System Language Discovery","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK",Discovery,"System Location Discovery","System Language Discovery","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Bypass User Account Control",Any,0,0,11,11,154,23,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Bypass User Account Control","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Bypass User Account Control","Enterprise Security Content Update",0,0,11,11,154,23,0,"Endpoint Detection and Response::4,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Bypass User Account Control","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Bypass User Account Control","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Bypass User Account Control","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Sudo and Sudo Caching",Any,0,0,7,7,154,23,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Enterprise Security Content Update",0,0,7,7,154,23,0,"Endpoint Detection and Response::4",Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Sudo and Sudo Caching","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Elevated Execution with Prompt",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Abuse Elevation Control Mechanism","Elevated Execution with Prompt","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","-",Any,0,0,3,0,154,8,0,"AWS::2,Network Communication::2,Windows Security::2",No "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","-","Enterprise Security Content Update",0,0,3,0,154,8,0,"AWS::2,Network Communication::2,Windows Security::2",No "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Group Policy Discovery","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Group Policy Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Group Policy Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Group Policy Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Group Policy Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Group Policy Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Application Access Token",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Application Access Token","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Application Access Token","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Application Access Token","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Application Access Token","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Application Access Token","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Hash",Any,0,0,2,2,154,8,0,"Windows Security::2",Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Hash","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Hash","Enterprise Security Content Update",0,0,1,2,154,8,0,"Windows Security::2",Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Hash","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Hash","Splunk Security Essentials",0,0,1,2,154,8,0,"Windows Security::2",Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Hash","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Ticket",Any,0,0,3,3,154,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Ticket","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Ticket","Enterprise Security Content Update",0,0,3,3,154,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Ticket","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Ticket","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Pass the Ticket","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Web Session Cookie",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Web Session Cookie","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Web Session Cookie","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Web Session Cookie","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Web Session Cookie","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Use Alternate Authentication Material","Web Session Cookie","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Storage Object Discovery","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Storage Object Discovery","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Storage Object Discovery","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Storage Object Discovery","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Storage Object Discovery","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK",Discovery,"Cloud Storage Object Discovery","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Gatekeeper Bypass",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Gatekeeper Bypass","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Gatekeeper Bypass","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Gatekeeper Bypass","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Gatekeeper Bypass","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Gatekeeper Bypass","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","SIP and Trust Provider Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","SIP and Trust Provider Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","SIP and Trust Provider Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","SIP and Trust Provider Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","SIP and Trust Provider Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","SIP and Trust Provider Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Install Root Certificate",Any,0,0,2,2,154,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Install Root Certificate","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Install Root Certificate","Enterprise Security Content Update",0,0,2,2,154,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Install Root Certificate","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Install Root Certificate","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Install Root Certificate","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Mark-of-the-Web Bypass",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Mark-of-the-Web Bypass","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Mark-of-the-Web Bypass","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Mark-of-the-Web Bypass","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Mark-of-the-Web Bypass","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Mark-of-the-Web Bypass","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing Policy Modification",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing Policy Modification","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing Policy Modification","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing Policy Modification","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing Policy Modification","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Subvert Trust Controls","Code Signing Policy Modification","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","-",Any,0,0,2,0,154,2,0,"Azure::6",No "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","-","Enterprise Security Content Update",0,0,2,0,154,2,0,"Azure::6",No "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Domain Controller Authentication",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Domain Controller Authentication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Domain Controller Authentication","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Domain Controller Authentication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Domain Controller Authentication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Domain Controller Authentication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Password Filter DLL",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Password Filter DLL","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Password Filter DLL","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Password Filter DLL","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Password Filter DLL","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Password Filter DLL","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Pluggable Authentication Modules",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Pluggable Authentication Modules","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Pluggable Authentication Modules","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Pluggable Authentication Modules","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Pluggable Authentication Modules","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Pluggable Authentication Modules","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Network Device Authentication",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Network Device Authentication","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Network Device Authentication","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Network Device Authentication","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Network Device Authentication","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Authentication Process","Network Device Authentication","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","-",Any,0,0,2,0,154,64,0,"Endpoint Detection and Response::1,Windows Security::1",No "Enterprise ATT&CK","Defense Evasion","Impair Defenses","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Impair Defenses","-","Enterprise Security Content Update",0,0,2,0,154,64,0,"Endpoint Detection and Response::1,Windows Security::1",No "Enterprise ATT&CK","Defense Evasion","Impair Defenses","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Impair Defenses","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Impair Defenses","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Tools",Any,0,2,46,48,154,64,0,"Anti-Virus or Anti-Malware::0,Any Splunk Logs::0,Configuration Management::0,Endpoint Detection and Response::1,Microsoft Sysmon Logs::0,Microsoft System EventLog::0,Patch Management::0,Windows Security::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Tools","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Tools","Enterprise Security Content Update",0,0,39,48,154,64,0,"Endpoint Detection and Response::1,Microsoft Sysmon Logs::0,Microsoft System EventLog::0,Windows Security::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Tools","Splunk App for Enterprise Security",0,1,3,48,154,64,0,"Anti-Virus or Anti-Malware::0,Any Splunk Logs::0,Configuration Management::0",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Tools","Splunk Security Essentials",0,1,4,48,154,64,0,"Any Splunk Logs::0,Endpoint Detection and Response::1,Patch Management::0",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Tools","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Windows Event Logging",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Windows Event Logging","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Windows Event Logging","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Windows Event Logging","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Windows Event Logging","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Windows Event Logging","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Impair Command History Logging",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Impair Command History Logging","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Impair Command History Logging","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Impair Command History Logging","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Impair Command History Logging","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Impair Command History Logging","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify System Firewall",Any,0,0,5,5,154,64,0,"Endpoint Detection and Response::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify System Firewall","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify System Firewall","Enterprise Security Content Update",0,0,5,5,154,64,0,"Endpoint Detection and Response::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify System Firewall","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify System Firewall","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify System Firewall","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Indicator Blocking",Any,0,0,3,3,154,64,0,"Endpoint Detection and Response::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Indicator Blocking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Indicator Blocking","Enterprise Security Content Update",0,0,1,3,154,64,0,"Endpoint Detection and Response::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Indicator Blocking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Indicator Blocking","Splunk Security Essentials",0,0,2,3,154,64,0,"Endpoint Detection and Response::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Indicator Blocking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Cloud Firewall",Any,0,0,6,6,154,64,0,"AWS::0,Azure::0,Endpoint Detection and Response::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Cloud Firewall","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Cloud Firewall","Enterprise Security Content Update",0,0,6,6,154,64,0,"AWS::0,Azure::0,Endpoint Detection and Response::1",Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Cloud Firewall","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Cloud Firewall","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable or Modify Cloud Firewall","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Cloud Logs",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Cloud Logs","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Cloud Logs","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Cloud Logs","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Cloud Logs","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Disable Cloud Logs","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Safe Mode Boot",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Safe Mode Boot","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Safe Mode Boot","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Safe Mode Boot","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Safe Mode Boot","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Safe Mode Boot","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Downgrade Attack",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Downgrade Attack","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Downgrade Attack","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Downgrade Attack","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Downgrade Attack","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Impair Defenses","Downgrade Attack","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Files and Directories",Any,0,0,2,2,154,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Files and Directories","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Files and Directories","Enterprise Security Content Update",0,0,2,2,154,2,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Files and Directories","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Files and Directories","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Files and Directories","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Users",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Users","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Users","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Users","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Users","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Users","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Window",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Window","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Window","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Window","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Window","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden Window","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","NTFS File Attributes",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","NTFS File Attributes","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","NTFS File Attributes","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","NTFS File Attributes","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","NTFS File Attributes","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","NTFS File Attributes","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden File System",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden File System","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden File System","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden File System","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden File System","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Hidden File System","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Run Virtual Instance",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Run Virtual Instance","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Run Virtual Instance","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Run Virtual Instance","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Run Virtual Instance","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Run Virtual Instance","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","VBA Stomping",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","VBA Stomping","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","VBA Stomping","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","VBA Stomping","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","VBA Stomping","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","VBA Stomping","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Email Hiding Rules",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Email Hiding Rules","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Email Hiding Rules","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Email Hiding Rules","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Email Hiding Rules","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Email Hiding Rules","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Resource Forking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Resource Forking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Resource Forking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Resource Forking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Resource Forking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hide Artifacts","Resource Forking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Search Order Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Search Order Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Search Order Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Search Order Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Search Order Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Search Order Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Side-Loading",Any,0,0,2,2,154,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Side-Loading","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Side-Loading","Enterprise Security Content Update",0,0,2,2,154,8,0,"Endpoint Detection and Response::0,Microsoft Sysmon Logs::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Side-Loading","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Side-Loading","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","DLL Side-Loading","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dylib Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dylib Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dylib Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dylib Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dylib Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dylib Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Executable Installer File Permissions Weakness",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Executable Installer File Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Executable Installer File Permissions Weakness","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Executable Installer File Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dynamic Linker Hijacking",Any,0,0,1,1,154,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dynamic Linker Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dynamic Linker Hijacking","Enterprise Security Content Update",0,0,1,1,154,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dynamic Linker Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dynamic Linker Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Dynamic Linker Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by PATH Environment Variable",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by PATH Environment Variable","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by PATH Environment Variable","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by PATH Environment Variable","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Search Order Hijacking",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Search Order Hijacking","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Search Order Hijacking","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Search Order Hijacking","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Unquoted Path",Any,0,0,1,1,154,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Unquoted Path","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Unquoted Path","Enterprise Security Content Update",0,0,1,1,154,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Unquoted Path","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Unquoted Path","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Path Interception by Unquoted Path","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services File Permissions Weakness",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services File Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services File Permissions Weakness","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services File Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services File Permissions Weakness","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services File Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services Registry Permissions Weakness",Any,0,0,4,4,154,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services Registry Permissions Weakness","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services Registry Permissions Weakness","Enterprise Security Content Update",0,0,2,4,154,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services Registry Permissions Weakness","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services Registry Permissions Weakness","Splunk Security Essentials",0,0,2,4,154,8,0,"Endpoint Detection and Response::0",Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","Services Registry Permissions Weakness","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","COR_PROFILER",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","COR_PROFILER","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","COR_PROFILER","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","COR_PROFILER","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","COR_PROFILER","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Hijack Execution Flow","COR_PROFILER","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Snapshot",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Snapshot","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Snapshot","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Snapshot","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Snapshot","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Snapshot","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Cloud Instance",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Cloud Instance","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Cloud Instance","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Cloud Instance","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Cloud Instance","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Create Cloud Instance","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Delete Cloud Instance",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Delete Cloud Instance","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Delete Cloud Instance","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Delete Cloud Instance","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Delete Cloud Instance","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Delete Cloud Instance","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Revert Cloud Instance",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Revert Cloud Instance","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Revert Cloud Instance","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Revert Cloud Instance","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Revert Cloud Instance","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify Cloud Compute Infrastructure","Revert Cloud Instance","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","Network Address Translation Traversal",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","Network Address Translation Traversal","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","Network Address Translation Traversal","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","Network Address Translation Traversal","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","Network Address Translation Traversal","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Network Boundary Bridging","Network Address Translation Traversal","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Reduce Key Space",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Reduce Key Space","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Reduce Key Space","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Reduce Key Space","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Reduce Key Space","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Reduce Key Space","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Disable Crypto Hardware",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Disable Crypto Hardware","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Disable Crypto Hardware","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Disable Crypto Hardware","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Disable Crypto Hardware","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Weaken Encryption","Disable Crypto Hardware","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify System Image","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify System Image","-","Enterprise Security Content Update",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify System Image","-","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify System Image","-","Splunk Security Essentials",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify System Image","-","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Modify System Image","Patch System Image",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Patch System Image","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Patch System Image","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Patch System Image","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Patch System Image","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Patch System Image","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Downgrade System Image",Any,0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Downgrade System Image","Custom Content",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Downgrade System Image","Enterprise Security Content Update",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Downgrade System Image","Splunk App for Enterprise Security",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Downgrade System Image","Splunk Security Essentials",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Modify System Image","Downgrade System Image","Splunk User Behavior Analytics",0,0,0,0,0,0,0,,Yes "Enterprise ATT&CK","Defense Evasion","Deploy Container","-",Any,0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Deploy Container","-","Custom Content",0,0,0,0,0,0,0,,No "Enterprise ATT&CK","Defense Evasion","Deploy Container","-","Enterpris