2 minutes
Introducing LoFP
The farm is growing! A new way to live off the land, in this case, by blending in with it.
What is LoFP?
Living off the False Positive is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic.
What’s the goal?
The goal is to enable both red and blue teams with this information.
Red teams can use this information to blend in by mimicking or looking similar to the FP activity. Alert fatigue often causes analysts to readily ignore things even remotely false positive. At there very least, it will instill doubt.
Blue teams on the other hand, can use this information to assess weak spots in their detection logic. They can also compare across rule sets to see if it is a broad tendency, or maybe something more specific to a particular vendor. It can also assist during alert triage and investigation, by looking at common FPs around certain techniques and data sources.
Details
For now, it encompasses rules from the following sources:
- elastic detection rules
- sigma rules
- splunk rules
And it isn’t all the rule directories at this point, but this could expand. The trouble is, false positive annotations tend to be more narrative than keyword based, making it difficult to aggregate similarities.
This is why you shouldn’t use this by just scrolling along – that would be a little painful. Instead, focus on searching for keywords in the false positives themselves (such as “python”, “powershell”, etc.), the techniques, rule source, or data source as a starting point.
If you know you will be leveraging certain techniques, find similar ones and see what the false positives trends tend to look like and use this information to blend in.
As you can see, the idea is to include certain key details of the source from the rule(s) that the FPs come from to maximize the value of the information.
Checkout the repo for more details on auto generation.
Nightly builds
This is meant to be a maintenance-free project. As a result, this data refreshes nightly, based on the latest available updates in the respective repos.
Future expansion?
Possibly, but let’s see how this goes first.