When LogRhythm originally developed and launched the MITRE ATT&CK Knowledge Base (KB) Module, we worked under MITRE ATT&CK’s version 6. The MITRE ATT&CK framework is constantly developing, and many changes have been implemented, most recently culminating in the release of version 8. Here are some helpful resources to learn more about MITRE ATT&CK developments.
To support these significant changes, we will be launching the second version of our KB Module. The biggest change to our module will be the naming convention of AIE rules supporting the introduction of MITRE ATT&CK sub-techniques. You can read more about MITRE ATT&CK sub-techniques here.
The new naming convention focuses on Technique ID and, if applicable, Sub-Technique ID in the AI Engine rule name. The reason for this change is that the AI Engine (AIE) rule name is what is most relevant to use for Dashboards, Searches, Reports, etc., and aligns closest with third parties also focused on MITRE ATT&CK techniques where IDs are the focal point in logging and events.
Contextualizing the Tactic name in the rule name will be deprecated. Our working assumption is that there’s no impact to customers in removing the Tactic from the name.
The new AIE rule name will consist of: TechniqueID.subTechniqueID:Technique Short Description:Additional Qualifiers
MITRE ATT&CK Technique: Command and Scripting Interpreter: T1059 has eight sub-techniques currently. Using PowerShell for this example, which is sub-technique named: Command and Scripting Interpreter: PowerShell: T1059.001, the new AIE rule name will be “AIE : T1059.001:PowerShell”.
There may be more than one variation of a sub technique, in which case we will append the AIE Rule with a description of the variation. For example, an AIE Rule which detects the use of encoded commands in PowerShell would use an additional qualifier and would be named “AIE : T1059.001:PowerShell:Encoded Commands.
Additional items will be released with the update to the module, including:
Feel free to reach out to the LogRhythm Labs team regarding the new module update. You can find us on the LogRhythm Community and Slack Community.
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…