ESM Default Content

181214

Yun P Community

App Support Tiers

MICRO FOCUS SUPPORTED

Support via Micro Focus Software Support, with a ticket filed against the associated product.

PARTNER

Micro Focus offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by Micro Focus of the Micro Focus community.

MICRO FOCUS COMMUNITY

Micro Focus Community Content is provided by Micro Focus for the benefit of customers, support for it is not available via Micro Focus Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by Micro Focus customers and supported by them.

Yun P | Community
ESM Default Content includes Security Threat Monitoring package and Threat Intelligence Platform package, It also includes resources for tracking Techniques from the MITRE ATT&CK framework.
1,462 downloads

See previous releases
Share
 

Product compatibility

Description

Threat Intelligence Platform

This package is designed to detect security threat based on intelligence data feed from open source Malware Information Sharing Platform (MISP). It also follows MITRE ATT&CK framework.

This package requires installation of MIC for MISP. For more information on MIC, please refer to the documentation at https://community.microfocus.com/t5/ESM-and-ESM-Express/Model-Import-Connector-for-MISP-Malware-Information-Sharing/ta-p/2752381

Following use cases are covered in this package:

  • Botnet Activity
  • Dangerous Browsing
  • Internal Asset Found in Reputation List
  • Phishing
  • Ransomware
  • Suspicious Activity
  • Suspicious DNS Query
  • Suspicious Email
  • Suspicious File Hash

Following MITRE ATT&CK Techniques are covered:

TA0001 Initial Access

  • T1192-Spearphishing Link
  • T1193-Spearphishing Attachment

TA0008 Lateral Movement

  • T1105-Remote File Copy

TA0010 Exfiltration

  • T1041-Exfiltration Over Command and Control Channel
  • T1048-Exfiltration Over Alternative Protocol

TA0011 Command and Control

  • T1026-Multiband Communication
  • T1043-Commonly Used Port
  • T1065-Uncommonly Used Port
  • T1092-Communication Through Removable Media
  • T1105-Remote File Copy
  • T1219-Remote Access Tools

TA0040 Impact

  • T1486-Data Encrypted for Impact

Following MITRE ATT&CK Techniques were added to Threat Intelligence Platform release 2.0:

T1041, T1043, T1065, T1092, T1193

In the release version 2.1, following MITRE ID was added:

T1105

In the release version 2.3, following MITRE ID was added:

T1026


Security Threat Monitoring:

This package monitors security threats based on security log events from firewall, IDS/IPS, OS, Application, Scanner, Anti-Virus etc.

Following use cases are included in this package:

  • Application Monitoring
  • Entity Monitoring
  • Host Monitoring
  • Malware Monitoring
  • Network Monitoring
  • Perimeter Monitoring
  • Vulnerability Monitoring

Following MITRE ATT&CK Techniques are covered as well:

TA0001 Initial Access

  • T1078-Valid Accounts
  • T1091-Replication Through Removable Media
  • T1189-Drive-by Compromise
  • T1190-Exploit Public-Facing Application
  • T1193-Spearphishing Attachment
  • T1200-Hardware Additions

TA0002 Execution

  • T1028-Windows Remote Management
  • T1035-Service Execution
  • T1047-Windows Management Instrumentation
  • T1053-Scheduled Task
  • T1059-Command-Line Interface
  • T1061-Graphical User Interface
  • T1064-Scripting
  • T1072-Third-party Software
  • T1085-Rundll32
  • T1086-PowerShell
  • T1117-Regsvr32
  • T1118-InstallUtil
  • T1121-Regsvcs Regasm
  • T1127-Trusted Developer Utilities
  • T1129-Execution through Module Load
  • T1151-Space after Filename
  • T1168-Local Job Scheduling
  • T1170-Mshta
  • T1173-Dynamic Data Exchange
  • T1175-Component Object Model and Distributed COM
  • T1191-CMSTP
  • T1196-Control Panel Items
  • T1203-Exploitation for Client Execution
  • T1204-User Execution
  • T1216-Signed Script Proxy Execution
  • T1218-Signed Binary Proxy Execution
  • T1220-XSL Script Processing
  • T1223-Compiled HTML File

TA0003 Persistence

  • T1031-Modify Existing Service
  • T1034-Path Interception
  • T1038-DLL Search Order Hijacking
  • T1050-New Service
  • T1053-Scheduled Task
  • T1060-Registry Run Keys and Startup Folder
  • T1078-Valid Accounts
  • T1098-Account Manipulation
  • T1136-Create Account
  • T1168-Local Job Scheduling
  • T1179-Hooking
  • T1183-Image File Execution Options Injection
  • T1215-Kernel Modules and Extensions

TA0004 Privilege Escalation

  • T1034-Path Interception
  • T1038-DLL Search Order Hijacking
  • T1050-New Service
  • T1053-Scheduled Task
  • T1055-Process Injection
  • T1068-Exploitation for Privilege Escalation
  • T1078-Valid Accounts
  • T1088-Bypass User Account Control
  • T1179-Hooking
  • T1183-Image File Execution Options Injection

TA0005 Defense Evasion

  • T1036-Masquerading
  • T1038-DLL Search Order Hijacking
  • T1045-Software Packing
  • T1055-Process Injection
  • T1064-Scripting
  • T1078-Valid Accounts
  • T1085-Rundll32
  • T1088-Bypass User Account Control
  • T1089-Disabling Security Tools
  • T1090-Connection Proxy
  • T1093-Process Hollowing
  • T1107-File Deletion
  • T1112-Modify Registry
  • T1117-Regsvr32
  • T1118-InstallUtil
  • T1121-Regsvcs Regasm
  • T1127-Trusted Developer Utilities
  • T1140-DeobfuscateDecode Files or Information
  • T1151-Space after Filename
  • T1170-Mshta
  • T1183-Image File Execution Options Injection
  • T1191-CMSTP
  • T1196-Control Panel Items
  • T1216-Signed Script Proxy Execution
  • T1218-Signed Binary Proxy Execution
  • T1220-XSL Script Processing
  • T1223-Compiled HTML File

TA0006 Credential Access

  • T1003-Credential Dumping
  • T1040-Network Sniffing
  • T1098-Account Manipulation
  • T1110-Brute Force
  • T1179-Hooking
  • T1503-Credentials from Web Browsers

TA0007 Discovery

  • T1012-Query Registry
  • T1016-System Network Configuration Discovery
  • T1018-Remote System Discovery
  • T1040-Network Sniffing
  • T1046-Network Service Scanning
  • T1057-Process Discovery
  • T1063-Security Software Discovery
  • T1083-File and Directory Discovery
  • T1087-Account Discovery
  • T1201-Password Policy Discovery
  • T1518-Software Discovery

TA0008 Lateral Movement

  • T1028-Windows Remote Management
  • T1072-Third-party Software
  • T1075-Pass the Hash
  • T1076-Remote Desktop Protocol
  • T1077-Windows Admin Shares
  • T1091-Replication Through Removable Media
  • T1105-Remote File Copy
  • T1210-Exploitation of Remote Services

TA0009 Collection

  • T1039-Data from Network Shared Drive
  • T1056-Input Capture
  • T1113-Screen Capture
  • T1114-Email Collection
  • T1115-Clipboard Data

TA0010 Exfiltration

  • T1002-Data Compressed
  • T1048-Exfiltration Over Alternative Protocol
  • T1052-Exfiltration Over Physical Medium

TA0011 Command and Control

  • T1090-Connection Proxy
  • T1105-Remote File Copy
  • T1132-Data Encoding
  • T1188-Multi-hop Proxy
  • T1483-Domain Generation Algorithms

TA0040 Impact

  • T1486-Data Encrypted for Impact
  • T1489-Service Stop
  • T1490-Inhibit System Recovery
  • T1498-Network Denial of Service

Following MITRE ATT&CK Techniques were added to Security Threat Monitoring release 2.0:

T1002, T1003, T1028, T1031, T1035, T1038, T1039, T1047, T1050, T1052, T1053, T1055, T1059, T1061, T1064, T1072, T1078, T1085, T1086, T1087, T1089, T1090, T1091, T1107, T1113, T1114, T1115, T1117, T1118, T1121, T1127, T1129, T1140, T1151, T1168, T1170, T1173, T1175, T1179, T1183, T1191, T1196, T1200, T1203, T1204, T1215, T1216, T1218, T1220, T1223

In the release version 2.1, following MITRE IDs were added or rules were added to existing MITRE IDs:

T1016, T1018, T1036, T1040, T1046, T1057, T1068, T1098, T1132, T1498

In the release version 2.2, following MITRE IDs were added or rules were added to existing MITRE IDs:

T1003, T1012, T1036, T1045, T1063, T1083, T1086, T1089, T1105, T1112, T1132, T1201, T1503, T1518

In the release version 2.3, following MITRE IDs were added or rules were added to existing MITRE IDs:

T1034, T1056, T1060, T1068, T1076, T1077, T1078, T1085, T1088, T1089, T1090, T1093, T1105, T1113, T1188, T1193, T1490

Note: To upgrade from version 1.0 to 2.3,

It is recommended to uninstall the old version package below:

Security Monitoring - Base - Active Lists (version 1.0, do not uninstall if it is v2.3 already)

Keep in mind, following 3 packages will be uninstalled automatically as well:

Security Monitoring - Base

Security Threat Monitoring

Threat Intelligence Platform

Then install the version 2.3 package through console

To upgrade from version 2.0 or 2.1 or 2.2 to 2.3

You can install new version packages through console directly without uninstall old version package

Sample replay events

This zip file contains four files: two replay events, one arb package, and readme.

In order to trigger/test rules in the default content, you need to:

1) Enable rules which you want to test

2) Install package in this zip file for testing rules in the Threat Intelligence Platform package


Minimum Requirements

ESM 6.9.1 and above


Threat Intelligence Platform package requires MIC for MISP

Releases

Release
Size
Date
Security Threat Monitoring 2.3.0.0
281.3 KB
  |  
Jun 11, 2020
More info Less info
Product compatibility
ESM
Version 6.9.1 · 6.11.0
Version 7.0 · 7.2
Release notes

Fix bugs, and following MITRE IDs were added or rules were added to existing MITRE IDs:

T1034, T1056, T1060, T1068, T1076, T1077, T1078, T1085, T1088, T1089, T1090, T1093, T1105, T1113, T1188, T1193, T1490

Languages
English
Threat Intelligence Platform 2.3.0.0
162.9 KB
  |  
Jun 11, 2020
More info Less info
Product compatibility
ESM
Version 6.9.1 · 6.11.0
Version 7.0 · 7.2
Release notes

Fix bugs, and following MITRE ID was added:

T1026

Languages
English
Sample Replay Events 1.0.0.0
109.0 KB
  |  
Jun 11, 2020
More info Less info
Product compatibility
ESM
Version 6.9.1 · 6.11.0
Version 7.0 · 7.2
Release notes

Those replay events are used to test rules in the default content.

Languages
English
Files
Threat Intelligence Platform 2.2.0.0
151.8 KB
  |  
May 4, 2020
More info Less info
Product compatibility
ESM
Version 7.2 · 7.0
Version 6.9.1 · 6.11.0
Release notes

Bug fix.

Languages
English
Security Threat Monitoring 2.2.0.0
260.4 KB
  |  
May 4, 2020
More info Less info
Product compatibility
ESM
Version 7.2 · 7.0
Version 6.9.1 · 6.11.0
Release notes

Bug fix, and following MITRE IDs were added or rules were added to existing MITRE IDs:

T1003, T1012, T1036, T1045, T1063, T1083, T1086, T1089, T1105, T1112, T1132, T1201, T1503, T1518

Languages
English
Threat Intelligence Platform 2.1.0.0
148.5 KB
  |  
Mar 27, 2020
More info Less info
Product compatibility
ESM
Version 7.2 · 7.0
Version 6.8 · 6.9.1 · 6.11.0
Release notes

Fig bugs, and following MITRE ID was added:

T1105

Languages
English
Security Threat Monitoring 2.1.0.0
243.3 KB
  |  
Mar 27, 2020
More info Less info
Product compatibility
ESM
Version 7.2 · 7.0
Version 6.8 · 6.9.1 · 6.11.0
Release notes

Fix bugs, and following MITRE IDs were added or rules were added to existing MITRE IDs:

T1016, T1018, T1036, T1040, T1046, T1057, T1068, T1098, T1132, T1498

Languages
English
Security Threat Monitoring 2.0.0.0
221.2 KB
  |  
Mar 2, 2020
More info Less info
Product compatibility
Version 6.11
Version 7.0 · 7.2
Release notes

Bug fix, and cover following MITRE ATT&CK Techniques in the release version 2.0

T1002, T1003, T1028, T1031, T1035, T1038, T1039, T1041, T1047, T1050, T1052, T1053, T1055, T1059, T1061, T1064, T1072, T1078 T1085, T1086, T1087, T1089, T1090, T1091, T1107, T1113, T1114, T1115, T1117, T1118, T1121, T1127, T1129, T1140, T1151, T1168 T1170, T1173, T1175, T1179, T1183, T1191, T1196, T1200, T1203, T1204, T1215, T1216, T1218, T1220, T1223

Languages
English
Threat Intelligence Platform 2.0.0.0
142.0 KB
  |  
Mar 2, 2020
More info Less info
Product compatibility
Version 6.11
Version 7.0 · 7.2
Release notes

Bug fix, and cover following MITRE ATT&CK Techniques in the release 2.0:

T1043, T1065, T1092, T1193

Languages
English
Threat Intelligence Platform 1.0.0.0
90.1 KB
  |  
Dec 20, 2019
More info Less info
Product compatibility
ESM
Version 7.2 · 7.0
Version 6.8 · 6.9.1 · 6.11.0
Release notes

Threat Intelligence Platform is design to detect security threat based on intelligence data feed from open source Malware Information Sharing Platform (MISP). It also follows MITRE ATT&CK framework.Following use cases are based on MISP feed, which is imported by MIC connector:

  • Botnet Activity
  • Dangerous Browsing
  • Internal Asset Found in Reputation List
  • Phishing
  • Ransomware
  • Suspicious Activity
  • Suspicious DNS Query
  • Suspicious Email
  • Suspicious File Hash

Following MITRE ATT&CK Techniques are covered as well:

  • T1192-Spearphishing Link
  • T1219-Remote Access Tools
  • T1486-Data Encrypted for Impact
Languages
English
Security Threat Monitoring 1.0.0.0
118.7 KB
  |  
Nov 8, 2019
More info Less info
Product compatibility
ESM
Version 7.2 · 7.0
Version 6.8 · 6.9.1 · 6.11.0
Release notes

This first release, and use cases are listed in full description.

Languages
English

Resources

Similar items

Similar apps are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the Marketplace Terms of Service and Micro Focus Terms of Service
Since you are downloading an app from the Micro Focus unified Marketplace using an Access Manager account, you need to also accept the Micro Focus Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service and the Micro Focus Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2020-8-1-3011 | Thu Aug 6 03:14:12 PDT 2020