AttackRuleMap
#Threat Defense#Threat Management
Repository of IOCs provided under the Apache 2.0 license
AttackRuleMap (ARM): A Tool for Correlating Detection Rules
AttackRuleMap (ARM) is a mapping tool designed to correlate open-source detection rules with atomic tests. This helps security teams gain a clearer understanding of their detection coverage.
The Tool Offers Detailed Mapping Between MITRE ATT&CK Techniques and Detection Rules
This tool provides a thorough mapping between:
- MITRE ATT&CK techniques and tactics
- Atomic Red Team test cases
- Sigma detection rules
- Splunk detection rules
Key capabilities include:
- Mapping atomic test cases to their corresponding detection rules
- Cross-referencing various detection rule formats
- Analyzing detection coverage specific to different platforms
- Identifying gaps in detection capabilities
- Supporting Windows, Linux, and ESXi platforms
The Organization of Mapping Data
The mapping data is structured in a tabular format that includes the following elements:
- Technique IDs
- Atomic attack names along with their GUIDs
- Information about the platform
- Sigma rules that are associated
- Detection rules for Splunk that correspond to the above
This correlation assists security teams
Validate detection coverage against known attack techniques:
- Identify areas that need additional detection rules.
- Plan and prioritize efforts in detection engineering.
- Test detection capabilities using mapped atomic tests.
