[Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

Amber Graner akgraner at corelight.com
Wed Mar 27 08:14:19 PDT 2019


Mark,

Thank you so much for sharing this.

~Amber

On Wed, Mar 27, 2019 at 8:09 AM Fernandez, Mark I <mfernandez at mitre.org>
wrote:

> All,
>
>
>
> MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like
> adversarial activity.  The project is called BZAR – Bro/Zeek ATT&CK-based
> Analytics and Reporting.
>
>
>
> MITRE ATT&CK is a publicly-available, curated knowledge base for cyber
> adversary behavior, reflecting the various phases of the adversary
> lifecycle and the platforms they are known to target. The ATT&CK model
> includes behaviors of numerous threats groups.
>
>
>
> BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol
> analyzers and the File Extraction Framework to detect ATT&CK-like activity,
> correlate certain techniques, and write to the Notice Log.
>
>
>
> BZAR is publicly released as open source, under MITRE case number
> 18-2489.  It is available for download at the following URL:
>
>    - https://github.com/mitre-attack/car/tree/master/implementations/bzar
>
>
>
> For more information on MITRE ATT&CK, visit https://attack.mitre.org.
>
>
>
>
>
> *Mark I. Fernandez*
>
> The MITRE Corporation
>
> mfernandez at mitre.org
>
>
>
> P.S.  It does not yet support the Bro/Zeek Package Manager (this is on the
> todo list).
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469


 * Ask me about how you can participate in the Zeek (formerly Bro)
community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190327/ce40d02b/attachment-0001.html 


More information about the Zeek mailing list