Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better naming conventions #94

Open
valoq opened this issue Jun 25, 2023 · 1 comment
Open

Better naming conventions #94

valoq opened this issue Jun 25, 2023 · 1 comment

Comments

@valoq
Copy link
Contributor

valoq commented Jun 25, 2023

There are currently a number of key strings that refer to the mitre attack guide, though in most cases there is little relation to the actual logs.

For example:

T1497_Virtualization_Sandbox_Evasion_System_Checks is used as key whenever virtual box applications are executed in /bin/local.

It also triggers for qemu when running on a Debian Bookwork VM, while the comment in the rules indicate it handles "qemu on macOS"

A different example is T1011_Exfiltration_Over_Other_Network_Medium, which is currently triggered every time a network socket file is created. While it may be correct that it could be used for exfiltration, it stands to reason that it will trigger a lot more often during normal operations.

I would suggest to remove the mitre naming convention completely and use more simple key strings, like "socket created" for the second example.
@Neo23x0
Copy link
Owner

Neo23x0 commented Jun 26, 2023

I agree

@valoq valoq mentioned this issue Jul 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Neo23x0 @valoq