diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 2f004779966..1fb11e95294 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -112,3 +112,37 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index e77ba2624e4..f428b4da9a8 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -114,3 +114,61 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1526" +name = "Cloud Service Discovery" +reference = "https://attack.mitre.org/techniques/T1526/" + +[[rule.threat.technique]] +id = "T1580" +name = "Cloud Infrastructure Discovery" +reference = "https://attack.mitre.org/techniques/T1580/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index be4f893c376..2634447e6ad 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -116,3 +116,21 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 9a8b45d4c12..c961ff23bf9 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -116,3 +116,21 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index f43c07ebbff..db71d8487f4 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/06/18" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -114,3 +114,60 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + +[[rule.threat.technique.subtechnique]] +id = "T1021.007" +name = "Cloud Services" +reference = "https://attack.mitre.org/techniques/T1021/007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml index cd88785e91e..3af1d24172b 100644 --- a/rules/ml/ml_high_count_events_for_a_host_name.toml +++ b/rules/ml/ml_high_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/18" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -91,3 +91,60 @@ The detection of a spike in host-based traffic leverages machine learning to ide - Restore the affected host from a known good backup if malware or significant unauthorized changes are detected. - Implement network segmentation to limit the spread of potential threats and reduce the impact of similar incidents in the future. - Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional resources are needed for a comprehensive response.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1204" +name = "User Execution" +reference = "https://attack.mitre.org/techniques/T1204/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 59642ccab2d..39e7bd4d1f3 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -111,3 +111,73 @@ Firewalls and ACLs are critical in controlling network traffic, blocking unautho - Implement additional monitoring and alerting for similar patterns of denied traffic to enhance early detection of potential threats. - Document the incident, including actions taken and lessons learned, to improve future response efforts and update incident response plans accordingly.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat.technique]] +id = "T1590" +name = "Gather Victim Network Information" +reference = "https://attack.mitre.org/techniques/T1590/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" + diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 924e7d2f9da..788730443c5 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -110,3 +110,55 @@ Machine learning models analyze network traffic patterns to identify anomalies, - Review and update network access controls and permissions to ensure only authorized users and devices have access to sensitive data and systems. - Implement enhanced monitoring and alerting for similar traffic patterns to improve early detection and response to future incidents.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat.technique]] +id = "T1498" +name = "Network Denial of Service" +reference = "https://attack.mitre.org/techniques/T1498/" + diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 36d794c639e..6993543b038 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/17" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -92,3 +92,58 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 0c843572f53..be92e900df7 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -118,3 +118,42 @@ In Linux environments, network ports facilitate communication between applicatio - Implement network segmentation to limit the exposure of critical systems to potential threats and reduce the risk of lateral movement. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1571" +name = "Non-Standard Port" +reference = "https://attack.mitre.org/techniques/T1571/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml index 2e8b2aed2fc..d2128f0bf36 100644 --- a/rules/ml/ml_low_count_events_for_a_host_name.toml +++ b/rules/ml/ml_low_count_events_for_a_host_name.toml @@ -2,7 +2,7 @@ creation_date = "2025/02/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/18" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -91,3 +91,29 @@ Host-based traffic monitoring is crucial for identifying anomalies in network ac - Restore any affected services from known good backups if service failure is confirmed as the cause. - Monitor network traffic for any signs of unusual activity or attempts to exploit the situation further. - Escalate the incident to the security operations team for a deeper forensic analysis and to determine if additional hosts are affected.""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" + +[[rule.threat.technique]] +id = "T1499" +name = "Endpoint Denial of Service" +reference = "https://attack.mitre.org/techniques/T1499/" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 0b6b6323406..21d0d1aac74 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -118,3 +118,65 @@ Machine learning models analyze network traffic to identify atypical domain name - Implement network-level blocking of the identified unusual domain across the organization to prevent future access attempts. - Update threat intelligence feeds and detection systems with indicators of compromise (IOCs) related to the unusual domain to enhance future detection capabilities.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index aa4093e0105..7c1f674b243 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -115,3 +115,70 @@ Machine learning models analyze network logs to identify traffic to uncommon des - Restore the affected system from a clean backup if necessary, ensuring that all security patches and updates are applied. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat.technique]] +id = "T1566" +name = "Phishing" +reference = "https://attack.mitre.org/techniques/T1566/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.001" +name = "Spearphishing Attachment" +reference = "https://attack.mitre.org/techniques/T1566/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1566.002" +name = "Spearphishing Link" +reference = "https://attack.mitre.org/techniques/T1566/002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat.technique]] +id = "T1048" +name = "Exfiltration Over Alternative Protocol" +reference = "https://attack.mitre.org/techniques/T1048/" + diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 1e70ca2093a..9c9c130f549 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/18" [rule] anomaly_threshold = 75 @@ -115,3 +115,55 @@ severity = "low" tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat.technique]] +id = "T1046" +name = "Network Service Discovery" +reference = "https://attack.mitre.org/techniques/T1046/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 1aa71877419..3df432d3263 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/03/20" +updated_date = "2025/11/18" [rule] anomaly_threshold = 50 @@ -89,3 +89,58 @@ tags = [ ] type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0010" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0010/" + +[[rule.threat.technique]] +id = "T1041" +name = "Exfiltration Over C2 Channel" +reference = "https://attack.mitre.org/techniques/T1041/" +