Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rule update: add MITRE tags for rules #575

Merged
merged 7 commits into from Apr 11, 2019

Conversation

Projects
None yet
5 participants
@Kaizhe
Copy link
Contributor

commented Apr 4, 2019

Added MITRE tags for default falco rules

@Kaizhe Kaizhe requested a review from mstemm Apr 4, 2019

@Kaizhe

This comment has been minimized.

Copy link
Contributor Author

commented Apr 4, 2019

At the top level, we have the following categories are covered:

Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, Exfiltration, Command and Control (in sub cat Port Knocking)

https://attack.mitre.org/matrices/enterprise/linux/

@Kaizhe Kaizhe assigned mfdii and Kaizhe and unassigned mfdii Apr 4, 2019

@Kaizhe Kaizhe requested a review from mfdii Apr 4, 2019

@mstemm
Copy link
Contributor

left a comment

Do want to include "Mitre" or similar in each tag so it's clear that we're tagging them for the mitre attack framework?

Also, we publish the set of tags we use at https://falco.org/docs/rules/#tags-for-current-falco-ruleset. We should add info about mitre tags there. The docs just moved to the new site, so I'll coordinate w/ you offline on how we update them.

@KnoxAnderson

This comment has been minimized.

Copy link
Contributor

commented Apr 8, 2019

Maybe something like Mitre-Execution @Kaizhe

@Kaizhe

This comment has been minimized.

Copy link
Contributor Author

commented Apr 8, 2019

👌

@@ -1107,7 +1107,7 @@
Sensitive file opened for reading by trusted program after startup (user=%user.name
command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2])
priority: WARNING
tags: [filesystem]
tags: [filesystem, Credential Access]

This comment has been minimized.

Copy link
@mstemm

mstemm Apr 10, 2019

Contributor

I think this should be mitre_credential_access right?

@mstemm

mstemm approved these changes Apr 10, 2019

@Kaizhe Kaizhe force-pushed the rule-updates-2019-04.v3-MITRE-TAG branch from 5582a7a to c60c698 Apr 10, 2019

Kaizhe added some commits Apr 10, 2019

@Kaizhe Kaizhe merged commit d83342a into dev Apr 11, 2019

2 checks passed

Travis CI - Branch Build Passed
Details
Travis CI - Pull Request Build Passed
Details

@fntlnz fntlnz added the area/rules label May 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.