MITRE Linux Integration App
MITRE ATT&CK tactics for Linux OS by ScienceSoft are based on auditd logs provided by a properly configured auditing component.
Auditd is a userspace component for the UNIX Auditing System (Audit Daemon) that provides users with a security auditing aspect in various Linux distributives. The set of rules developed by ScienceSoft includes auditd configuration steps that must be performed in order to work properly for these rules.
Linux MITRE ATT&CK rules are well-tested and tuned. To start the work with the app, make sure to enable the rules when the auditd configuration is done, as they are disabled by default in order to prevent possible false-positives in the production SIEM environment.
The rules can be easily mapped to MITRE Techniques using QRadar Use Case Manager.
The app includes detailed instructions and prepared configuration files to properly set up syslog and auditd components on target systems.
QRadar Native Alternatives
There is no such native functionality in QRadar. All correlation rules must be developed and corresponding configuration of target systems must be investigated and performed manually.
MITRE Linux Integration App is a commercial application by ScienceSoft with some of its functionality available for free. The free version contains 47 correlation rules out of 67 available in the paid one.
IBM App Exchange
MITRE Linux Integration App is officially available at IBM Security App Exchange. Please, follow the link to download it now.