Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Upcoming changes to Integrity Monitoring Rules in Cloud One Workload Security/Deep Security

    • Updated:
    • 29 Jul 2021
    • Product/Version:
    • Cloud One - Workload Security
    • Deep Security All
    • Platform:
Summary

Cloud One Workload Security/Deep Security Integrity Monitoring rules have been completely revamped in order to break down broad based generic rules into “high fidelity” rules. Each rule and corresponding trigger now point to specific changes within the environment, allowing greater customization of these rules, reducing the overall number of generated alerts.

Collecting feedback from both customers and the Trend Micro threat research team, the rules have been updated with the following goals in mind:

  • Security Effectiveness
  • Granularity
  • Alignment with the MITRE ATT&CK framework

With most of these rules being tagged with the relevant MITRE ATT&CK ID, it simplifies correlation with events from other sources and determine a course after identifying these as legitimate or illegitimate changes.

Along with these functional changes, the naming and descriptions have also been updated to reflect, most importantly, the MITRE ATT&CK ID, the rule type, the platform and what is being monitored by the rule.

For example:

  • General section of rule

    General tab

  • Details section of rule

    Details tab

Details
Public

Release Schedule

These changes will be rolled out over time in groups. The grouping is based on a generic rule being broken down into high fidelity granular rules that generally point to a specific ATT&CK Technique observed in attacks.

  1. Batch 1: 2021-06-15
  2. Batch 2: 2021-06-29
  3. Batch 3: 2021-07-13
  4. Batch 4: 2021-07-27
 
If the rule has been assigned by a Recommendation Scan, it will be un-assigned after the next scan. If it is assigned manually it will have to be removed manually as well.
 

Release Date: 2021-06-15

DSRU Version: 21-027

Changes: The first batch will un-recommend 1003513 - Unix - File attributes changed in /etc location. The following rules have been developed to monitor the most important contents of the /etc directory.

 IdentifierNameAssigned by
Recommendation Scan
11010798Linux/Unix - Local user and group files modified (ATT&CK T1136.001, T1531)Yes
21010805Linux/Unix - runtime linker configuration files modifiedNo
31010807Linux/Unix - System wide environment variables and startup scripts modified (ATT&CK T1546.004)Yes
41010808Linux/Unix - bash configuration files modified (ATT&CK T1059.004, T1546.004)Yes
51010809Linux/Unix - List of valid login shells modified (ATT&CK T1059.004)Yes
61010812Linux/Unix - Name resolver configuration files modified (ATT&CK T1071.004, T1583.002)No
71010813Linux/Unix - PAM configuration files modified (ATT&CK T1068)Yes
81010815Linux/Unix - Samba configuration files modified (ATT&CK T1135)Yes
91010817Linux/Unix - Run control (rc) scripts modified (ATT&CK T1037.004)Yes
101010819Linux/Unix - xinetd configuration files modifiedYes
111010821Linux/Unix - Alternative commands modified (ATT&CK T1036)Yes
121010824Linux/Unix - Software repository modified (ATT&CK T1195.002)Yes
131010825Linux/Unix - adduser, useradd and deluser configuration files modified (ATT&CK T1136.001, T1531)Yes
141010826Linux/Unix - dhclient configuration files modifiedYes
151010827Linux/Unix - csh/tcsh configuration files modified (ATT&CK T1059.004, T1546.004)Yes
161010828Linux/Unix - zsh configuration files modified (ATT&CK T1059.004, T1546.004)Yes
171010838Linux/Unix - Core system configuration files modifiedYes
181010839Linux/Unix - Name of the local system modified (ATT&CK T1082)Yes
191010840Linux/Unix - Host access control files modified (T1584.004)Yes
201010841Linux/Unix - ftpd configuration files modified (ATT&CK T1048, T1071.002)Yes
211010842Linux/Unix - Boot loader configuration files modified (ATT&CK T1542)Yes
221010853Linux/Unix - Process initialization scripts and configuration files modified (ATT&CK 1037)Yes
231010950Linux/Unix - sudo files modified (ATT&CK T1548.003)Yes
241010962Linux/Unix - Network services configuration files modifiedYes
251010963Linux/Unix - Kernel configuration files modified (ATT&CK T1547.006)Yes
261010964Linux/Unix - Internet routing information file modifiedYes
271010979Linux/Unix - FTP client process initiated (ATT&CK T1048)Yes

Release Date: 2021-06-29

DSRU Version: 21-029

Changes: The second batch will un-recommend 1003514 - Unix - File attributes changed in /lib location. The following rules have been developed to monitor the most important contents of the /lib directory. Additionally, a new rule has been created to monitor the /boot directory: 1010856 - Linux/Unix - Static boot loader files modified (ATT&CK T1542)

 IdentifierNameAssigned by
Recommendation Scan
11010793Linux/Unix - Shared object files modifiedYes
21010843Linux/Unix - Boot files modified (ATT&CK T1542)Yes
31010844Linux/Unix - modeprobe configuration files modified (ATT&CK T1547.006)Yes
41010845Linux/Unix - Default firewall rules modified (ATT&CK T1562.004)Yes
51010846Linux/Unix - Disk configuration files modified (ATT&CK T1561.002)Yes
61010847Linux/Unix - SSL configuration files modified (ATT&CK T1587.003)Yes
71010848Linux/Unix - User access control files modified (ATT&CK T1068)Yes
81010856Linux/Unix - Static boot loader files modified (ATT&CK T1542)Yes

Release Date: 2021-07-13

DSRU Version: 21-032

Changes: The third batch will modify several rules to ensure only the required attributes are monitored and that the Name/Description sections conform to the new standard. Additionally, the rule 1003104 - DNS Client will be recommended only on Windows platforms.

The IM Rule “1003335 - Application – PAM” will be deleted in this batch because the entities it monitors are already being monitored by other rules. As such, there is no loss of monitoring with this redundant rule deletion. The new rules listed below provide equivalent coverage with more granularity.

  1. 1003573 - Linux/Unix - File attributes in the /bin directory modified
  2. 1002875 - Linux/Unix - Software installed, updated or removed
  3. 1010813 - Linux/Unix - PAM configuration files modified (ATT&CK T1068)
 IdentifierNameAssigned by
Recommendation Scan
11002875Linux/Unix - Software installed, updated or removedYes
21010373Linux/Unix - Systemd service modified (ATT&CK T1543.002)Yes
31010791Linux/Unix - Task scheduler entries modified (ATT&CK T1053)Yes
41009643Linux/Unix - bash command history cleared (ATT&CK T1059.004)Yes
51009622Linux/Unix - bash non-root user configuration files modified (ATT&CK T1546.004)No
61011021Linux/Unix - bash root user configuration files modified (ATT&CK T1546.004)Yes

Release Date: 2021-07-27

DSRU Version: 21-034

Changes: The fourth batch modifies the remaining Linux/Unix rules to ensure that the Name/Description sections conform to the new standard. Additionally, rules that have configurable attribute monitoring gain the SHA256 attribute as a selectable option.

 IdentifierNameAssigned by
Recommendation Scan
11002766Linux/Unix - Directory attributes of /sbin modified (ATT&CK T1222.002)Yes
21002770Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modifiedYes
31002771Linux/Unix - File permissions in the /var/log directory modified (ATT&CK T1222.002)No
41003513Linux/Unix - File attributes in the /etc directory modifiedNo
51003514Linux/Unix - File attributes in the /lib directory modifiedNo
61003573Linux/Unix - File attributes in the /bin directory modifiedYes
71003574Linux/Unix - File attributes in the /sbin directory modifiedYes
81003587Linux/Unix - Directory attributes of /bin modified (ATT&CK T1222.002)Yes
91005193Linux/Unix - File attributes modified (ATT&CK T1070.002, T1222.002)No
101008464Linux/Unix - File attributes in the /usr/etc, /usr/lib, /usr/lib64, /usr/libexec And /usr/local directories modifiedNo
111010389Linux/Unix - Process running from the /tmp and /var/tmp directories detected (ATT&CK T1543)Yes
Premium
Internal
Partner
Rating:
Category:
SPEC
Solution Id:
000286752
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.