You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describes various evidence artifacts associated to the activity/activities that triggered a security detection.
The Evidence Artifacts object in turn has attributes which enable a security product to describe all the observables and activities associated with the detection. The description for each of these attributes is almost identical, following the pattern:
Describes details about the [whatever] associated to the activity that triggered the detection.
These attributes cover many things (files, processes, network endpoints, DNS queries, etc.) but don't cover registry keys and values. The registry is hugely important in the context of Windows detections because adversaries use the registry to implement many tactics including Defense Evasion, Persistence, Privilege Escalation, etc. Hence a lot of detection content is triggered by registry activity.
I propose to address this gap with a PR that will add the pre-existing reg_key and reg_value attributes to the Evidence Artifacts object.
The text was updated successfully, but these errors were encountered:
A
Detection Finding
event contains an array ofEvidence Artifacts
objects whose purpose is:The
Evidence Artifacts
object in turn has attributes which enable a security product to describe all the observables and activities associated with the detection. The description for each of these attributes is almost identical, following the pattern:These attributes cover many things (files, processes, network endpoints, DNS queries, etc.) but don't cover registry keys and values. The registry is hugely important in the context of Windows detections because adversaries use the registry to implement many tactics including Defense Evasion, Persistence, Privilege Escalation, etc. Hence a lot of detection content is triggered by registry activity.
I propose to address this gap with a PR that will add the pre-existing
reg_key
andreg_value
attributes to theEvidence Artifacts
object.The text was updated successfully, but these errors were encountered: