Mitre ATT&CK coverage

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Mitre ATT&CK coverage

L4 Transporter

Hello dear Livecommunity, 

 

as you know, Cortex XDR is a very powerful peace of software and I am happy to use and administrate it. 

But I never doubt about coverage of the mitre attack patterns and I am a little bit upset, we need to get through this and setup our own rules for example TA 1219. There is no rule within. 

 

Has anyone of you got through this process and can share some expirience or rules (*.bioc) with the community? 

 

If anybody is interested, here are some actual testing scenarios:

https://github.com/redcanaryco/atomic-red-team/tree/master/atomics

 

BR

 

Rob

2 REPLIES 2

L5 Sessionator

Hi @RFeyertag ,

 

Thank you fir writing to Live Community!

 

We create generalised BIOC rules considering all the customers and their used cases. Considering the fact that the TA 1219 is a TTP used by exploiting the known remote access softwares, also means that these softwares are used by enterprises across and widely. We prevent the behavioral indicator and detect any malicious behaviours on the same but not the softwares themselves. Customers can choose to create their BIOC rules as per their choice around the same as those environments might be regulated for not using the tools or using it in limited scopes with command lines params. These environments will generate less false positives, however, it might not be true to be implemented globally.

 

Hope that answers your question!

 

Regards

L4 Transporter

Hey @neelrohit

 

Thank you for your answer! I understand your concerns, but in case from the customer view now I must study the complete mitre attack to check what is covered and what not. 

I would sell this product even better ;-), when you can say we cover the whole mitre attack surface. When something is FP, just create your own exeption. Even if it is just an low alert (we also check low alerts). 

I think this would be more customer friendly (when there is a one or two man "SOC"). I know this is lot of work, but in the end there is more visibility. 

 

BR

 

Rob

 

  • 992 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!