Description

We are excited to announce that ArcSight now supports MITRE ATT&CK with sub-techniques.

In this release version 3.0, we have re-mapped the existing Default Content to support the new MITRE ATT&CK sub-techniques.

As a result of this re-mapping exercise, the Default Content now supports the techniques and sub-techniques listed below.

For a more user-friendly way of browsing this list, we recommend you to visit https://mitre.microfocus.com/.

We also provide a downloadable JSON formatted file of all Default and Non-Default Content on the above-mentioned webpage.


Threat Intelligence Platform

This package is designed to detect security threat based on intelligence data feed from open source Malware Information Sharing Platform (MISP). It also follows MITRE ATT&CK framework.

This package requires installation of MIC for MISP. For more information on MIC, please refer to the documentation at https://community.microfocus.com/t5/ESM-and-ESM-Express/Model-Import-Connector-for-MISP-Malware-Information-Sharing/ta-p/2752381

Following use cases are covered in this package:

  • Botnet Activity
  • Dangerous Browsing
  • Internal Asset Found in Reputation List
  • Phishing
  • Ransomware
  • Suspicious Activity
  • Suspicious DNS Query
  • Suspicious Email
  • Suspicious File Hash

Following MITRE ATT&CK Techniques/sub-techniques are covered:

TA0001 Initial Access

-T1566-Phishing

--T1566.001-Spearphishing Attachment

--T1566.002-Spearphishing Link


TA0008 Lateral Movement

-T1105-Ingress Tool Transfer


TA0010 Exfiltration

-T1048-Exfiltration Over Alternative Protocol

-T1041-Exfiltration Over Command and Control Channel


TA0011 Command and Control

-T1092-Communication Through Removable Media

-T1071-Application Layer Protocol

-T1071-Application Layer Protocol/T1071.001-Web Protocols

-T1105-Ingress Tool Transfer

-T1568-Dynamic Resolution

--T1568.002-Domain Generation Algorithms

-T1571-Non-Standard Port


TA0040 Impact

-T1486-Data Encrypted for Impact


In the release version 2.3, following MITRE ID was added:

T1026


In the release version 2.1, following MITRE ID was added:

T1105


In the release version 2.0, following MITRE IDs were added:

T1041, T1043, T1048, T1065, T1092, T1193


Security Threat Monitoring:

This package monitors security threats based on security log events from firewall, IDS/IPS, OS, Application, Scanner, Anti-Virus etc.

Following use cases are included in this package:

  • Application Monitoring
  • Entity Monitoring
  • Host Monitoring
  • Malware Monitoring
  • Network Monitoring
  • Perimeter Monitoring
  • Vulnerability Monitoring

Following MITRE ATT&CK Techniques/sub-Techniques are covered:

TA0001 Initial Access

-T1078-Valid Accounts

--T1078.001-Default Accounts

-T1091-Replication Through Removable Media

-T1133-External Remote Services

-T1189-Drive-by Compromise

-T1190-Exploit Public-Facing Application

-T1200-Hardware Additions

-T1566-Phishing

--T1566.001-Spearphishing Attachment


TA0002 Execution

-T1047-Windows Management Instrumentation

-T1053-Scheduled Task

--T1053.005-Scheduled Task

--T1053.002-At (Windows)

-T1059-Command and Scripting Interpreter

--T1059.001-PowerShell

--T1059.003-Windows Command Shell

-T1072-Third-party Software

-T1127-Trusted Developer Utilities Proxy Execution

-T1127-Trusted Developer Utilities Proxy Execution/T1127.001-MSBuild

-T1129-Execution through Module Load

-T1168-Local Job Scheduling

-T1203-Exploitation for Client Execution

-T1204-User Execution

--T1204.001-Malicious Link

-T1216-Signed Script Proxy Execution

--T1216.001-PubPrn

-T1218-Signed Binary Proxy Execution

--T1218.001-Compiled HTML File

--T1218.002-Control Panel Items

--T1218.003-CMSTP

--T1218.004-InstallUtil

--T1218.005-Mshta

--T1218.007-Msiexec

--T1218.009-RegsvcsRegasm

--T1218.010-Regsvr32

--T1218.011-Rundll32

-T1559-Inter-Process Communication

--T1559.002-Dynamic Data Exchange

-T1569-System Services

--T1569.002-Service Execution


TA0003 Persistence

-T1053-Scheduled Task

--T1053.002-At (Windows)

--T1053.005-Scheduled Task

-T1078-Valid Accounts

--T1078.001-Default Accounts

-T1098-Account Manipulation

-T1133-External Remote Services

-T1136-Create Account

-T1168-Local Job Scheduling

-T1543-Create or Modify System Process

--T1543.003-Windows Service

-T1546-Event Triggered Execution

--T1546.012-Image File Execution Options Injection

-T1547-Boot or Logon Autostart Execution

--T1547.001-Registry Run Keys and Startup Folder

--T1547.006-Kernel Modules and Extensions

-T1574-Hijack Execution Flow

--T1574.001-DLL Search Order Hijacking

--T1574.009-Path Interception by Unquoted Path


TA0004 Privilege Escalation

-T1053-Scheduled Task

--T1053.002-At (Windows)

--T1053.005-Scheduled Task

-T1055-Process Injection

--T1055.012-Process Hollowing

-T1068-Exploitation for Privilege Escalation

-T1078-Valid Accounts

--T1078.001-Default Accounts

-T1543-Create or Modify System Process

--T1543.003-Windows Service

-T1546-Event Triggered Execution

--T1546.012-Image File Execution Options Injection

-T1548-Abuse Elevation Control Mechanism

--T1548.002-Bypass User Access Control

-T1574-Hijack Execution Flow

--T1574.001-DLL Search Order Hijacking

--T1574.009-Path Interception by Unquoted Path


TA0005 Defense Evasion

-T1027-Obfuscated Files or Information

-T1027-Obfuscated Files or Information/T1027.002-Software Packing

-T1036-Masquerading

--T1036.002-Right-to-Left Override

--T1036.005-Match Legitimate Name or Location

--T1036.006-Space after Filename

-T1055-Process Injection

--T1055.012-Process Hollowing

-T1070-Indicator Removal on Host

-T1070-Indicator Removal on Host/T1070.004-File Deletion

-T1078-Valid Accounts

--T1078.001-Default Accounts

-T1112-Modify Registry

-T1127-Trusted Developer Utilities Proxy Execution

-T1140-Deobfuscate-Decode Files or Information

-T1216-Signed Script Proxy Execution

-T1218-Signed Binary Proxy Execution

-T1216-Signed Script Proxy Execution/T1216.001-PubPrn

-T1127-Trusted Developer Utilities Proxy Execution/T1127.001-MSBuild

--T1218.001-Compiled HTML File

--T1218.002-Control Panel Items

--T1218.003-CMSTP

--T1218.004-InstallUtil

--T1218.005-Mshta

--T1218.007-Msiexec

--T1218.009-RegsvcsRegasm

--T1218.010-Regsvr32

--T1218.011-Rundll32

-T1220-XSL Script Processing

-T1548-Abuse Elevation Control Mechanism

--T1548.002-Bypass User Access Control

-T1550-Use Alternate Authentication Material

--T1550.002-Pass the Hash

-T1562-Impair Defenses

--T1562.001-Disable or Modify Tools


TA0006 Credential Access

-T1003-OS Credential Dumping

--T1003.001-LSASS Memory

--T1003.002-Security Account Manager

-T1040-Network Sniffing

-T1056-Input Capture

--T1056.001-Keylogging

--T1056.004-Credential API Hooking

-T1110-Brute Force

--T1110.001-Password Guessing

--T1110.003-Password Spraying

-T1555-Credentials from Password Stores

--T1555.003-Credentials from Web Browsers


TA0007 Discovery

-T1012-Query Registry

-T1016-System Network Configuration Discovery

-T1018-Remote System Discovery

-T1040-Network Sniffing

-T1046-Network Service Scanning

-T1057-Process Discovery

-T1083-File and Directory Discovery

-T1087-Account Discovery

--T1087.001-Local Account

-T1201-Password Policy Discovery

-T1518-Software Discovery

--T1518.001-Security Software Discovery


TA0008 Lateral Movement

-T1021-Remote Services

--T1021.001-Remote Desktop Protocol

--T1021.002-SMB and Windows Admin Shares

--T1021.003-Distributed Component Object Model

-T1072-Third-party Software

-T1091-Replication Through Removable Media

-T1210-Exploitation of Remote Services

-T1550-Use Alternate Authentication Material

--T1550.002-Pass the Hash


TA0009 Collection

-T1039-Data from Network Shared Drive

-T1056-Input Capture

--T1056.001-Keylogging

--T1056.004-Credential API Hooking

-T1113-Screen Capture

-T1114-Email Collection

-T1115-Clipboard Data

-T1560-Archive Collected Data

--T1560.001-Archive via Utility


TA0010 Exfiltration

-T1048-Exfiltration Over Alternative Protocol

-T1052-Exfiltration Over Physical Medium


TA0011 Command and Control

-T1071-Application Layer Protocol

--T1071.004-DNS

-T1090-Proxy

--T1090.003-Multi-hop Proxy

-T1105-Ingress Tool Transfer

-T1132-Data Encoding

--T1132.001-Standard Encoding


TA0040 Impact

-T1486-Data Encrypted for Impact

-T1489-Service Stop

-T1490-Inhibit System Recovery

-T1498-Network Denial of Service

--T1498.001-Direct Network Flood


In the release version 2.4, following MITRE IDs were added or rules were added to existing MITRE IDs:

T1027, T1036, T1047, T1050, T1053, T1086, T1088, T1173


In the release version 2.3, following MITRE IDs were added or rules were added to existing MITRE IDs:

T1034, T1056, T1060, T1068, T1076, T1077, T1078, T1085, T1088, T1089, T1090, T1093, T1105, T1113, T1188, T1193, T1490


In the release version 2.2, following MITRE IDs were added or rules were added to existing MITRE IDs:

T1003, T1012, T1036, T1045, T1063, T1083, T1086, T1089, T1105, T1112, T1132, T1201, T1503, T1518


In the release version 2.1, following MITRE IDs were added or rules were added to existing MITRE IDs:

T1016, T1018, T1036, T1040, T1046, T1057, T1068, T1098, T1132, T1498


In the release version 2.0, following MITRE IDs were added:

T1002, T1003, T1028, T1031, T1035, T1038, T1039, T1047, T1048, T1050, T1052, T1053, T1055, T1059, T1061, T1064, T1072, T1078

T1085, T1086, T1087, T1089, T1090, T1091, T1107, T1113, T1114, T1115, T1117, T1118, T1121, T1127, T1129, T1140, T1151, T1168

T1170, T1173, T1175, T1179, T1183, T1191, T1196, T1200, T1203, T1204, T1215, T1216, T1218, T1220, T1223


-------------------------------------------------------------------------------

System Requirements

========================

Micro Focus ArcSight ESM 6.9.1c or above.

-------------------------------------------------------------------------------


To install this package:

===========================

The zip file contains three files: package arb file, signature of arb file, and Readme.

Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:

https://entitlement.mfgs.microfocus.com/ecommerce/efulfillment/digitalSignIn.do

It is required to log in using a Microfocus/Software passport (It gives the option to create an account)


Perform the following steps in the ArcSight Console.

1. Go to the ArcSight Console.

2. Click on Packages

3. Click Import

4. Select package arb file from the zip file

5. Follow prompt to import and install this package


To upgrade this package from version 1.x or 2.x

============================

Uninstall the following old version packages:

Security Monitoring - Base - Active Lists

Note: following 3 packages will be uninstalled automatically as well:

Security Monitoring - Base

Security Threat Monitoring

Threat Intelligence Platform

Then install the latest verion package through console


To uninstall:

=============================

Right click package from ArcSight Console, then select "Uninstall Package".


Sample replay events

This zip file contains four files: two replay events, one arb package, and readme.

In order to trigger/test rules in the default content, you need to:

1) Enable rules which you want to test

2) Install package in this zip file for testing rules in the Threat Intelligence Platform package


Minimum Requirements

ESM 6.9.1 and above


Threat Intelligence Platform package requires MIC for MISP

Releases

Release
Size
Date
Security Threat Monitoring 3.0.0.0
300.7 KB
  |  
Sep 14, 2020
More info Less info
Product compatibility
ESM
Version 7.4 · 7.0 · 7.2 · 7.3
Version 6.9.1 · 6.11.0
Release notes

We are excited to announce that ArcSight now supports MITRE ATT&CK with sub-techniques.

In this release version 3.0, we have re-mapped the existing Default Content to support the new MITRE ATT&CK sub-techniques.

As a result of this re-mapping exercise, the Default Content now supports the techniques and sub-techniques listed at https://mitre.microfocus.com/.

We also provide a downloadable JSON formatted file of all Default and Non-Default Content on the above-mentioned webpage.

Languages
English
Threat Intelligence Platform 3.0.0.0
171.7 KB
  |  
Sep 14, 2020
More info Less info
Product compatibility
ESM
Version 7.4 · 7.0 · 7.2 · 7.3
Version 6.9.1 · 6.11.0
Release notes

We are excited to announce that ArcSight now supports MITRE ATT&CK with sub-techniques.

In this release version 3.0, we have re-mapped the existing Default Content to support the new MITRE ATT&CK sub-techniques.

As a result of this re-mapping exercise, the Default Content now supports the techniques and sub-techniques listed at https://mitre.microfocus.com/.

We also provide a downloadable JSON formatted file of all Default and Non-Default Content on the above-mentioned webpage.

Languages
English
Threat Intelligence Platform 2.4.0.0
164.2 KB
  |  
Aug 12, 2020
More info Less info
Product compatibility
ESM
Version 7.4 · 7.0 · 7.2 · 7.3
Version 6.9.1 · 6.11.0
Release notes

Bug fixing.

Languages
English
Security Threat Monitoring 2.4.0.0
291.9 KB
  |  
Aug 12, 2020
More info Less info
Product compatibility
ESM
Version 7.4 · 7.0 · 7.2 · 7.3
Version 6.9.1 · 6.11.0
Release notes

Bug fixing, and following MITRE IDs were added or rules were added to existing MITRE IDs:

T1027, T1036, T1047, T1050, T1053, T1086, T1088, T1173

Languages
English
Sample Replay Events 1.0.0.0
116.7 KB
  |  
Jun 11, 2020
More info Less info
Product compatibility
ESM
Version 7.4 · 7.3 · 7.0 · 7.2
Version 6.9.1 · 6.11.0
Release notes

Those replay events are used to test rules in the default content.

Languages
English
Files

Resources

Similar items

Similar apps are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the Marketplace Terms of Service and Micro Focus Terms of Service
Since you are downloading an app from the Micro Focus unified Marketplace using an Access Manager account, you need to also accept the Micro Focus Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service and the Micro Focus Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2020-10-2-3328 | Wed Oct 14 04:20:43 PDT 2020