There are currently a number of key strings that refer to the mitre attack guide, though in most cases there is little relation to the actual logs.
For example:
T1497_Virtualization_Sandbox_Evasion_System_Checks is used as key whenever virtual box applications are executed in /bin/local.
It also triggers for qemu when running on a Debian Bookwork VM, while the comment in the rules indicate it handles "qemu on macOS"
A different example is T1011_Exfiltration_Over_Other_Network_Medium, which is currently triggered every time a network socket file is created. While it may be correct that it could be used for exfiltration, it stands to reason that it will trigger a lot more often during normal operations.
I would suggest to remove the mitre naming convention completely and use more simple key strings, like "socket created" for the second example.
There are currently a number of key strings that refer to the mitre attack guide, though in most cases there is little relation to the actual logs.
For example:
T1497_Virtualization_Sandbox_Evasion_System_Checks is used as key whenever virtual box applications are executed in /bin/local.
It also triggers for qemu when running on a Debian Bookwork VM, while the comment in the rules indicate it handles "qemu on macOS"
A different example is T1011_Exfiltration_Over_Other_Network_Medium, which is currently triggered every time a network socket file is created. While it may be correct that it could be used for exfiltration, it stands to reason that it will trigger a lot more often during normal operations.
I would suggest to remove the mitre naming convention completely and use more simple key strings, like "socket created" for the second example.