Welcome to the Cyber Analytics Repository
If you want to start exploring, try viewing the Full Analytic List or use the CAR Exploration Tool (CARET). Also, check out the new ATT&CK Navigator Layer that captures the current set of ATT&CK tactics and techniques covered by CAR.
Analytics stored in CAR contain the following information:
- a hypothesis which explains the idea behind the analytic
- the information domain or the primary domain the analytic is designed to operate within (e.g. host, network, process, external)
- references to ATT&CK Techniques and Tactics that the analytic detects
- the Glossary
- a pseudocode description of how the analytic might be implemented
- a unit test which can be run to trigger the analytic
Information about the latest CAR updates and changes can be found in this section.
- Added Sysmon 10.4 sensor with data model mappings and CAR analytic coverage.
- Added true positives (examples of real events that the analytic should successfully detect) to:
- New analytics added
- Added Splunk/Sysmon implementations to several analytics
- Added EQL implementations to several analytics
- Added corresponding Sigma rule references to several analytics
- New analytics added
- All CAR analytics have been converted to YAML; the YAML versions can be found here.
- Added an ATT&CK Navigator Layer for capturing the current set of ATT&CK tactics/techniques covered by CAR analytics.
- Four new analytics were added
- Three new fields were added to the Process object
CAR analytics were developed to detect the adversary behaviors in ATT&CK. Development of an analytic is based upon the following activities:
- identifying and prioritizing adversary behaviors from the ATT&CK adversary model
- identifying the data necessary to detect the adversary behavior
- identification or creation of a sensor to collect the necessary data
- the actual creation of the analytic to detect the identified behaviors
CAR is intended to be shared with cyber-defenders throughout the community.
CAR and ATT&CK
It’s important to remember that ATT&CK and CAR are separate projects for good reason. It’s critical to keep how we articulate threats with ATT&CK separate from a set of possible ways to detect them with the analytics. We don’t want the defender content in ATT&CK to be overly prescriptive about how someone can defend against ATT&CK techniques because there could be many different ways, and it’s up to the organization implementing them to determine what works best for their environment and the threats they face. This is why we didn’t put the analytics in ATT&CK to begin with. CAR is a good starting point for many organizations and can be a great platform for open analytic collaboration - but it isn’t the be-all/end-all for defending against the threats described by ATT&CK.
Analytic Source Code Libraries
Some analytics are built as source code for specific products. In these cases, code might support a broad set of detections in a way that makes it hard to describe a set of distinct analytics. For these types of analytics, rather than integrating them into the main CAR site, we’ve collected them under a library of implementations. Currently, the only library is BZAR, a collection of Zeek (Bro) scripts looking primarily at SMB and RPC traffic.
We would love your contributions! Please see the Contribution Guidance for more information.