[Zeek] [EXT] Re: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

Fernandez, Mark I mfernandez at mitre.org
Wed Mar 27 07:48:52 PDT 2019


Hi Seth, yes, that is on the todo list.  Hopefully, I'll have a package for it and add it to the package-manager soon.

Mark

-----Original Message-----
From: Seth Hall <seth at corelight.com>
Sent: Wednesday, March 27, 2019 10:45 AM
To: Fernandez, Mark I <mfernandez at mitre.org>
Cc: zeek at zeek.org; Zeolla at GMail.com
Subject: [EXT] Re: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

Seconded!  This is great, thanks for sharing Mark!  Are guys planning on turning this into a package and adding it to the package manager?

https://bro-package-manager.readthedocs.io/en/stable/package.html

   .Seth

On 27 Mar 2019, at 9:37, Zeolla at GMail.com wrote:

> Nice work, thanks for sharing!
>
> - Jon Zeolla
> Zeolla at GMail.Com
>
>
> On Wed, Mar 27, 2019 at 9:09 AM Fernandez, Mark I
> <mfernandez at mitre.org>
> wrote:
>
>> All,
>>
>>
>>
>> MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like
>> adversarial activity.  The project is called BZAR – Bro/Zeek
>> ATT&CK-based Analytics and Reporting.
>>
>>
>>
>> MITRE ATT&CK is a publicly-available, curated knowledge base for
>> cyber adversary behavior, reflecting the various phases of the
>> adversary lifecycle and the platforms they are known to target. The
>> ATT&CK model includes behaviors of numerous threats groups.
>>
>>
>>
>> BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC
>> protocol analyzers and the File Extraction Framework to detect
>> ATT&CK-like activity, correlate certain techniques, and write to the
>> Notice Log.
>>
>>
>>
>> BZAR is publicly released as open source, under MITRE case number
>> 18-2489.  It is available for download at the following URL:
>>
>>    -
>> https://github.com/mitre-attack/car/tree/master/implementations/bzar
>>
>>
>>
>> For more information on MITRE ATT&CK, visit https://attack.mitre.org.
>>
>>
>>
>>
>>
>> *Mark I. Fernandez*
>>
>> The MITRE Corporation
>>
>> mfernandez at mitre.org
>>
>>
>>
>> P.S.  It does not yet support the Bro/Zeek Package Manager (this is
>> on the todo list).
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

--
Seth Hall * Corelight, Inc * www.corelight.com



More information about the Zeek mailing list