Firewall Enabled: data component not in ATT&CK?

OTRF / OSSEM-DM

OSSEM Detection Model

MIT License

167 stars 43 forks source link

Firewall Enabled: data component not in ATT&CK? #37

Closed rubinatorz closed 2 years ago

rubinatorz commented 2 years ago

I see there's a firewall_enabled.yml relationshop file, containing event ID 5024 and defining the Firewall Enabled data source. It's also reflected in the main/use-cases/mitre_attack/attack_relationships.yml file, stating:

attack:
    data_source: Firewall
    data_component: firewall enable

But within ATT&CK there's no data component called "Firewall Enable(d)".

Cyb3rPandaH commented 2 years ago

Hey @rubinatorz You are right, there is no data component called "Firewall Enable". I added that component to the use-cases folder because I made a PR to the attack-datasources repo, but it was not merged LOL. I will remove that component from the use-cases file 👍 and keep the component and relation under the relationships folder.

Thank you very much for letting us know about it 🙏

Cyb3rPandaH commented 2 years ago

All the files related have been updated 😃 🍻 Thank you 🙏