Hey folks,
I am in the process of populating our internal tooling with as much relevant MITRE ATT&CK (enterprise-attack for now) metadata as possible so that we can flesh out existing rules as well as our new rules with more accurate tactics & techniques.
On Friday there were 63 new metadata additions added to the database fuelling our signature management platform (making them available to rule writers) and I am now retroactively applying this metadata to older rules where I can.
Today, I have modified 561 rules with new MITRE ATT&CK metadata and I aim to hit roughly 5000 modifications before pushing the release later today.
We are aware that MITRE ATT&CK metadata is valuable to many of our customers and it is a topic we are often quizzed on.
My questions to the community are as follows:
-
How are you currently utilising MITRE ATT&CK metadata from the Emerging Threats rulesets?
-
What changes can we implement on our end to give you folks a better quality of life when interacting with and parsing that metadata?