LogRhythm MITRE ATT&CK Knowledge Base (KB) Module 2.0

LogRhythm MITRE ATT&CK Module Updates

Major Update to the LogRhythm MITRE ATT&CK KB Module

When LogRhythm originally developed and launched the MITRE ATT&CK Knowledge Base (KB) Module, we worked under MITRE ATT&CK’s version 6.  The MITRE ATT&CK framework is constantly developing, and many changes have been implemented, most recently culminating in the release of version 8. Here are some helpful resources to learn more about MITRE ATT&CK developments.

To support these significant changes, we will be launching the second version of our KB Module. The biggest change to our module will be the naming convention of AIE rules supporting the introduction of MITRE ATT&CK sub-techniques. You can read more about MITRE ATT&CK sub-techniques here.

LogRhythm MITRE ATT&CK KB Module 2.0 Naming Convention for AI Engine Rules

The new naming convention focuses on Technique ID and, if applicable, Sub-Technique ID in the AI Engine rule name. The reason for this change is that the AI Engine (AIE) rule name is what is most relevant to use for Dashboards, Searches, Reports, etc., and aligns closest with third parties also focused on MITRE ATT&CK techniques where IDs are the focal point in logging and events.

Contextualizing the Tactic name in the rule name will be deprecated. Our working assumption is that there’s no impact to customers in removing the Tactic from the name.

New AI Engine Rule Naming Convention

The new AIE rule name will consist of: TechniqueID.subTechniqueID:Technique Short Description:Additional Qualifiers

MITRE ATT&CK Technique: Command and Scripting Interpreter: T1059 has eight sub-techniques currently. Using PowerShell for this example, which is sub-technique named: Command and Scripting Interpreter: PowerShell: T1059.001, the new AIE rule name will be “AIE : T1059.001:PowerShell”.

There may be more than one variation of a sub technique, in which case we will append the AIE Rule with a description of the variation. For example, an AIE Rule which detects the use of encoded commands in PowerShell would use an additional qualifier and would be named “AIE : T1059.001:PowerShell:Encoded Commands.

Upcoming Updates to the LogRhythm MITRE ATT&CK Module v2.0

Additional items will be released with the update to the module, including:

  1. WebUI Dashboards
  2. Navigator Link Layer
  3. Adding Tactic Lists to aid in technique searching, reports, etc.

Feel free to reach out to the LogRhythm Labs team regarding the new module update. You can find us on the LogRhythm Community and Slack Community.

Leave a Reply

You must be logged in to post a comment.