CapOne-Zeek-Docker/capitalone/external/mitre_bzar/bzar_config_options.zeek

#
# File: bzar_config_options.zeek
# Created: 20191121
# Updated: 20201009
#
# Copyright 2018 The MITRE Corporation.  All Rights Reserved.
# Approved for public release.  Distribution unlimited.  Case number 18-3868.
#

module BZAR;

export
{
	# BZAR Configuration Options

	#
	# BZAR Actions - ATT&CK Indicators to Detect and Report
	#
	# Description:
	#	These config options should be tuned for your specific environment.
	#	Use the Zeek Configuration Framework to change the default values 
	#	during runtime.
	#
	# xxx_detect_option:
	#	Option to control whether or not to detect this ATT&CK indicator.
	#	If set to False, then it effectively disables _report_option, too.
	#
	# xxx_report_option:
	#	Option to control whether or not to write to the Notice Log.
	#	If _detect_option is False, then this option has no effect.
	#

	# ATTACK::Credential_Access
	option t1003_006_detect_option = T;
	option t1003_006_report_option = T;

	# ATTACK::Defense_Evasion
	option t1070_001_detect_option = T;
	option t1070_001_report_option = T;

	# ATTACK::Execution
	option t1569_002_detect_option = T;
	option t1569_002_report_option = T;

	option t1047_detect_option = T;
	option t1047_report_option = T;

	option t1053_002_detect_option = T;
	option t1053_002_report_option = T;

	option t1053_005_detect_option = T;
	option t1053_005_report_option = T;

	# ATTCK::Impact
	option t1529_detect_option = T;
	option t1529_report_option = T;

	# ATTACK::Lateral_Movement
	# Options to control whether or not to detect/report
	# 'Remote File Copy/Lateral Tool Transfer to Windows Admin File Share'.

	option t1021_002_t1570_detect_option = T;
	option t1021_002_t1570_report_option = T;

	# Options to control whether or not to detect/report
	# 'Windows Admin File Share' by itself.
	# RECOMMENDATION: Do not report this ATT&CK indicator without
	# additional context.

	option t1021_002_detect_option = T;
	option t1021_002_report_option = F;

	# Option to control whether or not to detect/report
	# 'Remote File Copy/Lateral Tool Transfer' to any other
	# network share, not related to 'Windows Admin File Share'.
	# RECOMMENDATION: Do not report this ATT&CK indicator without
	# additional context.

	option t1570_detect_option = T;
	option t1570_report_option = F;

	# ATTACK::Lateral_Movement_Multiple_Attempts
	# Aggregate SumStats Indicator
	# Option to control whether or not to write this SumStats indicator to Notice Log.
	# It relies on t1021_002_detect_option.  If t1021_002_detect_option is False, this option has no effect.

	option t1021_002_multiple_attempts_report_option = T;

	# ATTACK::Lateral_Movement_and_Execution
	# Aggregate SumStats Indicator
	# Option to control whether or not to write this SumStats indicator to the Notice Log.

	option attack_lm_ex_report_option = T;

	# ATTACK::Lateral_Movement_Extracted_File
	# Options to control whether or not to extract files associated with Lateral Movement
	# and whether or not to write to Notice Log. If _extract is False, _report has no effect.
	option attack_lm_file_extract_option = T;		
	option attack_lm_extracted_file_report_option = T;	

	# ATTACK::Persistence
	option t1547_004_detect_option = T;
	option t1547_004_report_option = T;

	option t1547_010_detect_option = T;
	option t1547_010_report_option = T;

	# ATTACK::Discovery
	option t1016_detect_option = T;
	option t1018_detect_option = T;
	option t1033_detect_option = T;
	option t1049_detect_option = T;
	option t1069_detect_option = T;
	option t1082_detect_option = T;
	option t1083_detect_option = T;
	option t1087_detect_option = T;
	option t1124_detect_option = T;
	option t1135_detect_option = T;

	# Recommendation: Do not report these Discovery indicators individually.
	option t1016_report_option = F;
	option t1018_report_option = F;
	option t1033_report_option = F;
	option t1049_report_option = F;
	option t1069_report_option = F;
	option t1082_report_option = F;
	option t1083_report_option = F;
	option t1087_report_option = F;
	option t1124_report_option = F;
	option t1135_report_option = F;

	# Aggregate SumStats Reporting of Discovery Indicators
	# Dependent on individual Discovery indicators above.

	option attack_discovery_report_option = T; 


	#
	# BZAR Whitelist - Ignore ATT&CK Indicators Involving these Endpoints
	#
	# Description:
	#	Whitelists can be specified by IP address, IP subnet, or host
	#	name for each ATT&CK indicator.  Furthermore, the whitelists can
	#	be specified by originating address, subnet, or hostname; and by
	#	responding address, subnet, or hostname.
	#
	# xxxx_whitelist_orig_addrs : set[addr]
	#	Add originating IP addresses to ignore for an ATT&CK indicator.
	#	The value of 'c$id$orig_h' is checked against this list before 
	#	writing to Notice Log and/or SumStats Observation.
	#
	# xxxx_whitelist_resp_addrs : set[addr]
	#	Add responding IP addresses to ignore for an ATT&CK indicator.
	#	The value of 'c$id$resp_h' is checked against this list before 
	#	writing to Notice Log and/or SumStats Observation.
	#
	# xxxx_whitelist_orig_subnets : set[subnet]
	#	Add originating IP subnets to ignore for an ATT&CK indicator.
	#	The value of 'c$id$orig_h' is checked against this list before 
	#	writing to Notice Log and/or SumStats Observation.
	#
	# xxxx_whitelist_resp_subnets : set[subnet]
	#	Add responding IP subnets to ignore for an ATT&CK indicator.
	#	The value of 'c$id$resp_h' is checked against this list before 
	#	writing to Notice Log and/or SumStats Observation.
	#
	# xxxx_whitelist_orig_names : set[string]
	#	Add originating IP addresses to ignore for an ATT&CK indicator.
	#	CAUTION: A DNS reverse-lookup of the value of 'c$id$orig_h' is
	#	performed and the result is checked against this list before
	#	writing to Notice Log and/or SumStats Observation.  The DNS
	#	reverse-lookup could adversely affect system performance.
	#
	# xxxx_whitelist_resp_names : set[string]
	#	Add responding IP addresses to ignore for an ATT&CK indicator.
	#	CAUTION: A DNS reverse-lookup of the value of 'c$id$resp_h' is
	#	performed and the result is checked against this list before
	#	writing to Notice Log and/or SumStats Observation.  The DNS
	#	reverse-lookup could adversely affect system performance.
	#

	option whitelist_dns_timeout = 1sec;

	# ATTACK::Credential_Access

	# ATTACK::Credential_Access
	option t1003_006_whitelist_orig_addrs   : set[addr] = {};
	option t1003_006_whitelist_resp_addrs   : set[addr] = {};
	option t1003_006_whitelist_orig_subnets : set[subnet] = {};
	option t1003_006_whitelist_resp_subnets : set[subnet] = {};
	option t1003_006_whitelist_orig_names   : set[string] = {};
	option t1003_006_whitelist_resp_names   : set[string] = {};

	# ATTACK::Defense_Evasion
	option t1070_001_whitelist_orig_addrs   : set[addr] = {};
	option t1070_001_whitelist_resp_addrs   : set[addr] = {};
	option t1070_001_whitelist_orig_subnets : set[subnet] = {};
	option t1070_001_whitelist_resp_subnets : set[subnet] = {};
	option t1070_001_whitelist_orig_names   : set[string] = {};
	option t1070_001_whitelist_resp_names   : set[string] = {};

	# ATTACK::Execution
	option t1569_002_whitelist_orig_addrs   : set[addr] = {};
	option t1569_002_whitelist_resp_addrs   : set[addr] = {};
	option t1569_002_whitelist_orig_subnets : set[subnet] = {};
	option t1569_002_whitelist_resp_subnets : set[subnet] = {};
	option t1569_002_whitelist_orig_names   : set[string] = {};
	option t1569_002_whitelist_resp_names   : set[string] = {};

	option t1047_whitelist_orig_addrs   : set[addr] = {};
	option t1047_whitelist_resp_addrs   : set[addr] = {};
	option t1047_whitelist_orig_subnets : set[subnet] = {};
	option t1047_whitelist_resp_subnets : set[subnet] = {};
	option t1047_whitelist_orig_names   : set[string] = {};
	option t1047_whitelist_resp_names   : set[string] = {};

	option t1053_002_whitelist_orig_addrs   : set[addr] = {};
	option t1053_002_whitelist_resp_addrs   : set[addr] = {};
	option t1053_002_whitelist_orig_subnets : set[subnet] = {};
	option t1053_002_whitelist_resp_subnets : set[subnet] = {};
	option t1053_002_whitelist_orig_names   : set[string] = {};
	option t1053_002_whitelist_resp_names   : set[string] = {};

	option t1053_005_whitelist_orig_addrs   : set[addr] = {};
	option t1053_005_whitelist_resp_addrs   : set[addr] = {};
	option t1053_005_whitelist_orig_subnets : set[subnet] = {};
	option t1053_005_whitelist_resp_subnets : set[subnet] = {};
	option t1053_005_whitelist_orig_names   : set[string] = {};
	option t1053_005_whitelist_resp_names   : set[string] = {};

	# ATTCK::Impact
	option t1529_whitelist_orig_addrs   : set[addr] = {};
	option t1529_whitelist_resp_addrs   : set[addr] = {};
	option t1529_whitelist_orig_subnets : set[subnet] = {};
	option t1529_whitelist_resp_subnets : set[subnet] = {};
	option t1529_whitelist_orig_names   : set[string] = {};
	option t1529_whitelist_resp_names   : set[string] = {};

	# ATTACK::Lateral_Movement
	option t1021_002_t1570_whitelist_orig_addrs   : set[addr] = {};
	option t1021_002_t1570_whitelist_resp_addrs   : set[addr] = {};
	option t1021_002_t1570_whitelist_orig_subnets : set[subnet] = {};
	option t1021_002_t1570_whitelist_resp_subnets : set[subnet] = {};
	option t1021_002_t1570_whitelist_orig_names   : set[string] = {};
	option t1021_002_t1570_whitelist_resp_names   : set[string] = {};

	option t1021_002_whitelist_orig_addrs   : set[addr] = {};
	option t1021_002_whitelist_resp_addrs   : set[addr] = {};
	option t1021_002_whitelist_orig_subnets : set[subnet] = {};
	option t1021_002_whitelist_resp_subnets : set[subnet] = {};
	option t1021_002_whitelist_orig_names   : set[string] = {};
	option t1021_002_whitelist_resp_names   : set[string] = {};

	option t1570_whitelist_orig_addrs   : set[addr] = {};
	option t1570_whitelist_resp_addrs   : set[addr] = {};
	option t1570_whitelist_orig_subnets : set[subnet] = {};
	option t1570_whitelist_resp_subnets : set[subnet] = {};
	option t1570_whitelist_orig_names   : set[string] = {};
	option t1570_whitelist_resp_names   : set[string] = {};

	# ATTACK::Lateral_Movement_Multiple_Attempts
	option t1021_002_multiple_attempts_whitelist_orig_addrs   : set[addr] = {};
	option t1021_002_multiple_attempts_whitelist_resp_addrs   : set[addr] = {};
	option t1021_002_multiple_attempts_whitelist_orig_subnets : set[subnet] = {};
	option t1021_002_multiple_attempts_whitelist_resp_subnets : set[subnet] = {};
	option t1021_002_multiple_attempts_whitelist_orig_names   : set[string] = {};
	option t1021_002_multiple_attempts_whitelist_resp_names   : set[string] = {};

	# ATTACK::Lateral_Movement_and_Execution
	option attack_lm_ex_whitelist_orig_addrs   : set[addr] = {};
	option attack_lm_ex_whitelist_resp_addrs   : set[addr] = {};
	option attack_lm_ex_whitelist_orig_subnets : set[subnet] = {};
	option attack_lm_ex_whitelist_resp_subnets : set[subnet] = {};
	option attack_lm_ex_whitelist_orig_names   : set[string] = {};
	option attack_lm_ex_whitelist_resp_names   : set[string] = {};

	# ATTACK::Lateral_Movement_Extracted_File
	option attack_lm_extracted_file_whitelist_orig_addrs   : set[addr] = {};
	option attack_lm_extracted_file_whitelist_resp_addrs   : set[addr] = {};
	option attack_lm_extracted_file_whitelist_orig_subnets : set[subnet] = {};
	option attack_lm_extracted_file_whitelist_resp_subnets : set[subnet] = {};
	option attack_lm_extracted_file_whitelist_orig_names   : set[string] = {};
	option attack_lm_extracted_file_whitelist_resp_names   : set[string] = {};

	# ATTACK::Persistence
	option t1547_004_whitelist_orig_addrs   : set[addr] = {};
	option t1547_004_whitelist_resp_addrs   : set[addr] = {};
	option t1547_004_whitelist_orig_subnets : set[subnet] = {};
	option t1547_004_whitelist_resp_subnets : set[subnet] = {};
	option t1547_004_whitelist_orig_names   : set[string] = {};
	option t1547_004_whitelist_resp_names   : set[string] = {};

	option t1547_010_whitelist_orig_addrs   : set[addr] = {};
	option t1547_010_whitelist_resp_addrs   : set[addr] = {};
	option t1547_010_whitelist_orig_subnets : set[subnet] = {};
	option t1547_010_whitelist_resp_subnets : set[subnet] = {};
	option t1547_010_whitelist_orig_names   : set[string] = {};
	option t1547_010_whitelist_resp_names   : set[string] = {};

	# ATTACK::Discovery
	option attack_discovery_whitelist_orig_addrs   : set[addr] = {};
	option attack_discovery_whitelist_resp_addrs   : set[addr] = {};
	option attack_discovery_whitelist_orig_subnets : set[subnet] = {};
	option attack_discovery_whitelist_resp_subnets : set[subnet] = {};
	option attack_discovery_whitelist_orig_names   : set[string] = {};
	option attack_discovery_whitelist_resp_names   : set[string] = {};

	# If needed, use whitelists for the individual Discovery indicators
	option t1016_whitelist_orig_addrs   : set[addr] = {};
	option t1016_whitelist_resp_addrs   : set[addr] = {};
	option t1016_whitelist_orig_subnets : set[subnet] = {};
	option t1016_whitelist_resp_subnets : set[subnet] = {};
	option t1016_whitelist_orig_names   : set[string] = {};
	option t1016_whitelist_resp_names   : set[string] = {};

	option t1018_whitelist_orig_addrs   : set[addr] = {};
	option t1018_whitelist_resp_addrs   : set[addr] = {};
	option t1018_whitelist_orig_subnets : set[subnet] = {};
	option t1018_whitelist_resp_subnets : set[subnet] = {};
	option t1018_whitelist_orig_names   : set[string] = {};
	option t1018_whitelist_resp_names   : set[string] = {};

	option t1033_whitelist_orig_addrs   : set[addr] = {};
	option t1033_whitelist_resp_addrs   : set[addr] = {};
	option t1033_whitelist_orig_subnets : set[subnet] = {};
	option t1033_whitelist_resp_subnets : set[subnet] = {};
	option t1033_whitelist_orig_names   : set[string] = {};
	option t1033_whitelist_resp_names   : set[string] = {};

	option t1049_whitelist_orig_addrs   : set[addr] = {};
	option t1049_whitelist_resp_addrs   : set[addr] = {};
	option t1049_whitelist_orig_subnets : set[subnet] = {};
	option t1049_whitelist_resp_subnets : set[subnet] = {};
	option t1049_whitelist_orig_names   : set[string] = {};
	option t1049_whitelist_resp_names   : set[string] = {};

	option t1069_whitelist_orig_addrs   : set[addr] = {};
	option t1069_whitelist_resp_addrs   : set[addr] = {};
	option t1069_whitelist_orig_subnets : set[subnet] = {};
	option t1069_whitelist_resp_subnets : set[subnet] = {};
	option t1069_whitelist_orig_names   : set[string] = {};
	option t1069_whitelist_resp_names   : set[string] = {};

	option t1082_whitelist_orig_addrs   : set[addr] = {};
	option t1082_whitelist_resp_addrs   : set[addr] = {};
	option t1082_whitelist_orig_subnets : set[subnet] = {};
	option t1082_whitelist_resp_subnets : set[subnet] = {};
	option t1082_whitelist_orig_names   : set[string] = {};
	option t1082_whitelist_resp_names   : set[string] = {};

	option t1083_whitelist_orig_addrs   : set[addr] = {};
	option t1083_whitelist_resp_addrs   : set[addr] = {};
	option t1083_whitelist_orig_subnets : set[subnet] = {};
	option t1083_whitelist_resp_subnets : set[subnet] = {};
	option t1083_whitelist_orig_names   : set[string] = {};
	option t1083_whitelist_resp_names   : set[string] = {};

	option t1087_whitelist_orig_addrs   : set[addr] = {};
	option t1087_whitelist_resp_addrs   : set[addr] = {};
	option t1087_whitelist_orig_subnets : set[subnet] = {};
	option t1087_whitelist_resp_subnets : set[subnet] = {};
	option t1087_whitelist_orig_names   : set[string] = {};
	option t1087_whitelist_resp_names   : set[string] = {};

	option t1124_whitelist_orig_addrs   : set[addr] = {};
	option t1124_whitelist_resp_addrs   : set[addr] = {};
	option t1124_whitelist_orig_subnets : set[subnet] = {};
	option t1124_whitelist_resp_subnets : set[subnet] = {};
	option t1124_whitelist_orig_names   : set[string] = {};
	option t1124_whitelist_resp_names   : set[string] = {};

	option t1135_whitelist_orig_addrs   : set[addr] = {};
	option t1135_whitelist_resp_addrs   : set[addr] = {};
	option t1135_whitelist_orig_subnets : set[subnet] = {};
	option t1135_whitelist_resp_subnets : set[subnet] = {};
	option t1135_whitelist_orig_names   : set[string] = {};
	option t1135_whitelist_resp_names   : set[string] = {};


	#
	# BZAR Analytics - Use SumStats to Correlate ATT&CK Indicators
	#

	# 1- SumStats Analytics for ATTACK::Lateral_Movement_and_Execution

	option bzar1_epoch = 10min;
	option bzar1_limit = 1001.0; # SMB_WRITE == 1; RPC_EXEC == 1000;

	# 2- SumStats Analytics for ATTACK::Lateral_Movement_Multiple_Attempts
	#    Use threshold vector for greater fidelity and to assist in tuning
	#    the threshold for each unique environment.

	option bzar2_epoch = 5min;
	option bzar2_limit = vector(5.0, 10.0, 15.0, 20.0, 30.0, 40.0, 50.0, 100.0);

	# 3- SumStats Analytics for ATTACK::Discovery
	#    Use threshold vector for greater fidelity and to assist in tuning
	#    the threshold for each unique environment.

	option bzar3_epoch = 5min;
	option bzar3_limit = vector(5.0, 10.0, 15.0, 20.0, 30.0, 40.0, 50.0, 100.0);
}
#end export

#end bzar_config_options.zeek