For consumers/customers of Emerging Threats rulesets, you may have noticed an uptick in rule release volume (I know for a fact some of you have, you thought it was a bug!) - For the past week, I’ve been making tens of thousands of rule updates to address missing metadata. Specifically, I’ve been targeting confidence, signature_severity, and MITRE.
MITRE has had the least attention so far, both confidence and signature severity have taken the initial priority and I’m now ready to give some statistics of my efforts so far.
When I began this task, ‘confidence’ coverage was hitting an average of around 30% across the entire ruleset. I’ve now more than doubled that (70.75% over 100k+ rules), with rules created in 2023 and 2024 having 100% confidence coverage.
Our ‘signature_severity’ tag was already relatively high but I’ve been pushing for 100% coverage across the whole ruleset. We now have ‘signature_severity’ applied to 100% of rules created in 2019, 2020, 2021, 2022, 2023, and 2024.
MITRE coverage has doubled (roughly) since I began, now sitting at 48.74% coverage across the whole ruleset.
Once I achieve 100% coverage across the entire ruleset for confidence and signature_severity, I will be targeting MITRE and aiming for 80% coverage. Unfortunately, there are some scenarios in which rules do not fit any MITRE criteria and I won’t be forcing MITRE application just to create a veil of 100% coverage.
This has been and continues to be a mammoth task but it will be extremely beneficial in the end, I promise you. We have some interesting ideas in the pipeline that revolve around this metadata but we also owe it to our customers and consumers to provide this metadata wherever possible regardless.
If anybody has any questions regarding these updates, please don’t hesitate to ask.