[Zeek] [Non-DoD Source] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

Wed Mar 27 11:35:36 PDT 2019

Mark,

Is this developed for Bro/Zeek 2.5.5?  I'm getting errors when attempting to load this in Bro/Zeek 2.6.1.

v/r
Gary W. Weasel, Jr.

-----Original Message-----
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> On Behalf Of Fernandez, Mark I
Sent: Wednesday, March 27, 2019 9:02 AM
To: zeek at zeek.org
Subject: [Non-DoD Source] [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.

________________________________

All,

MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like adversarial activity.  The project is called BZAR - Bro/Zeek ATT&CK-based Analytics and Reporting.

MITRE ATT&CK is a publicly-available, curated knowledge base for cyber adversary behavior, reflecting the various phases of the adversary lifecycle and the platforms they are known to target. The ATT&CK model includes behaviors of numerous threats groups.

BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers and the File Extraction Framework to detect ATT&CK-like activity, correlate certain techniques, and write to the Notice Log.

BZAR is publicly released as open source, under MITRE case number 18-2489.  It is available for download at the following Caution-url:

*       Caution-https://github.com/mitre-attack/car/tree/master/implementations/bzar < Caution-https://github.com/mitre-attack/car/tree/master/implementations/bzar >

For more information on MITRE ATT&CK, visit Caution-https://attack.mitre.org.

Mark I. Fernandez

The MITRE Corporation

mfernandez at mitre.org < Caution-mailto:mfernandez at mitre.org >

P.S.  It does not yet support the Bro/Zeek Package Manager (this is on the todo list).