2 minutes
Event Category and Field Distribution Over Attack Techniques
Event category and field distribution over ATT&CK techniques
Analysis of Elastic detection-rules, showing event types and field
distribution per technique. The full results are represented in the file below (fields_by_technique.json)
The structure is:
"library": { # event.category (generic if event.category not defined)
"fields": { # field distribution for that event.category within that technique
"dll.code_signature.status": "100.00%", # field with percentage
"dll.code_signature.trusted": "100.00%", # field with percentage
"host.os.type": "100.00%", # field with percentage
"process.pid": "100.00%" # field with percentage
},
"rule_count": 1 # number of rules within this technique + event.category
Ex:
"T1553": {
"generic": {
"fields": {
"event.provider": "100.00%",
"host.os.type": "100.00%",
"message": "100.00%"
},
"rule_count": 1
},
"library": {
"fields": {
"dll.code_signature.status": "100.00%",
"dll.code_signature.trusted": "100.00%",
"host.os.type": "100.00%",
"process.pid": "100.00%"
},
"rule_count": 1
},
"process": {
"fields": {
"event.category": "66.67%",
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.args": "100.00%",
"process.executable": "33.33%",
"process.name": "66.67%",
"process.parent.executable": "33.33%",
"process.pe.original_file_name": "33.33%"
},
"rule_count": 3
},
"registry": {
"fields": {
"event.type": "100.00%",
"host.os.type": "100.00%",
"process.executable": "33.33%",
"registry.data.strings": "66.67%",
"registry.path": "100.00%",
"registry.value": "33.33%"
},
"rule_count": 3
}
}
For technique T1553, the following event types were present on the specified number of rules:
- 1 generic
- 1 library
- 3 process
- 3 registry
And the respective fields per event.category were present relative to those counts as defined
Data
A full json dump of the data can be found here , where this blog was originally posted.
Happy analyzing!