Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rule update: add MITRE tags for rules #575

Merged
merged 7 commits into from
Apr 11, 2019
Merged

rule update: add MITRE tags for rules #575

merged 7 commits into from
Apr 11, 2019

Conversation

Kaizhe
Copy link
Contributor

@Kaizhe Kaizhe commented Apr 4, 2019

Added MITRE tags for default falco rules

@Kaizhe Kaizhe requested a review from mstemm April 4, 2019 20:17
@Kaizhe
Copy link
Contributor Author

Kaizhe commented Apr 4, 2019

At the top level, we have the following categories are covered:

Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Lateral Movement, Exfiltration, Command and Control (in sub cat Port Knocking)

https://attack.mitre.org/matrices/enterprise/linux/

@Kaizhe Kaizhe assigned mfdii and Kaizhe and unassigned mfdii Apr 4, 2019
@Kaizhe Kaizhe requested a review from mfdii April 4, 2019 20:23
mstemm
mstemm reviewed Apr 5, 2019
View reviewed changes
Copy link
Contributor

@mstemm mstemm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do want to include "Mitre" or similar in each tag so it's clear that we're tagging them for the mitre attack framework?

Also, we publish the set of tags we use at https://falco.org/docs/rules/#tags-for-current-falco-ruleset. We should add info about mitre tags there. The docs just moved to the new site, so I'll coordinate w/ you offline on how we update them.

@KnoxAnderson
Copy link

Maybe something like Mitre-Execution @Kaizhe

@Kaizhe
Copy link
Contributor Author

Kaizhe commented Apr 8, 2019

👌

mstemm
mstemm requested changes Apr 10, 2019
View reviewed changes
rules/falco_rules.yaml Outdated
@@ -1107,7 +1107,7 @@
Sensitive file opened for reading by trusted program after startup (user=%user.name
command=%proc.cmdline parent=%proc.pname file=%fd.name parent=%proc.pname gparent=%proc.aname[2])
priority: WARNING
tags: [filesystem]
tags: [filesystem, Credential Access]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be mitre_credential_access right?

@Kaizhe Kaizhe force-pushed the rule-updates-2019-04.v3-MITRE-TAG branch from 5582a7a to c60c698 Compare April 10, 2019 17:13
@Kaizhe Kaizhe merged commit d83342a into dev Apr 11, 2019
@fntlnz fntlnz deleted the rule-updates-2019-04.v3-MITRE-TAG branch April 7, 2020 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mstemm mstemm mstemm approved these changes

@mfdii mfdii Awaiting requested review from mfdii

Assignees

@Kaizhe Kaizhe

Labels
area/rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Kaizhe @KnoxAnderson @mstemm @mfdii @fntlnz