[Zeek] [EXT] Re: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE
Fernandez, Mark I
mfernandez at mitre.org
Wed Mar 27 07:48:52 PDT 2019
Hi Seth, yes, that is on the todo list. Hopefully, I'll have a package for it and add it to the package-manager soon.
Mark
-----Original Message-----
From: Seth Hall <seth at corelight.com>
Sent: Wednesday, March 27, 2019 10:45 AM
To: Fernandez, Mark I <mfernandez at mitre.org>
Cc: zeek at zeek.org; Zeolla at GMail.com
Subject: [EXT] Re: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE
Seconded! This is great, thanks for sharing Mark! Are guys planning on turning this into a package and adding it to the package manager?
https://bro-package-manager.readthedocs.io/en/stable/package.html
.Seth
On 27 Mar 2019, at 9:37, Zeolla at GMail.com wrote:
> Nice work, thanks for sharing!
>
> - Jon Zeolla
> Zeolla at GMail.Com
>
>
> On Wed, Mar 27, 2019 at 9:09 AM Fernandez, Mark I
> <mfernandez at mitre.org>
> wrote:
>
>> All,
>>
>>
>>
>> MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like
>> adversarial activity. The project is called BZAR – Bro/Zeek
>> ATT&CK-based Analytics and Reporting.
>>
>>
>>
>> MITRE ATT&CK is a publicly-available, curated knowledge base for
>> cyber adversary behavior, reflecting the various phases of the
>> adversary lifecycle and the platforms they are known to target. The
>> ATT&CK model includes behaviors of numerous threats groups.
>>
>>
>>
>> BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC
>> protocol analyzers and the File Extraction Framework to detect
>> ATT&CK-like activity, correlate certain techniques, and write to the
>> Notice Log.
>>
>>
>>
>> BZAR is publicly released as open source, under MITRE case number
>> 18-2489. It is available for download at the following URL:
>>
>> -
>> https://github.com/mitre-attack/car/tree/master/implementations/bzar
>>
>>
>>
>> For more information on MITRE ATT&CK, visit https://attack.mitre.org.
>>
>>
>>
>>
>>
>> *Mark I. Fernandez*
>>
>> The MITRE Corporation
>>
>> mfernandez at mitre.org
>>
>>
>>
>> P.S. It does not yet support the Bro/Zeek Package Manager (this is
>> on the todo list).
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Zeek
mailing list