-
Notifications
You must be signed in to change notification settings - Fork 333
Detection coverage
ruben edited this page Nov 1, 2023
·
12 revisions
It is essential for blue teams to have a good understanding of where they have detection, the level of detection and where they lack detection. Using the YAML techniques administration file you can administrate the level of detection you have on ATT&CK techniques.
You can find a short explanation on how to get started scoring your detections to determine your detection coverage here.
You can record the following in the YAML techniques administration file:
- The type of system(s) the detection applies to (e.g. Windows endpoints, Windows servers, Linux servers, crown jewel x, etc.).
- You can have multiple detections per technique in the YAML file to allow detailed scoring of your detections per type of system. This can be achieved using the
applicable_to
property. See T1055 in the example file: techniques-administration-endpoints.yaml. - We recommend using the same
applicable_to
values between your technique and your data source administration file.
- You can have multiple detections per technique in the YAML file to allow detailed scoring of your detections per type of system. This can be achieved using the
- Where the detection resides.
- A possible comment.
- If you want to have a multiline comment in the Excel output. We recommend making use of
|
. For more info have a look at: https://yaml-multiline.info/.
- If you want to have a multiline comment in the Excel output. We recommend making use of
- The date when the detection was implemented or improved.
- A detection score. More on this can be found here.
- You can keep track of changes in the score by having multiple
score
objects within ascore_logbook
. See for example ATT&CK technique T1569.002 in the sample technique administration file.
- You can keep track of changes in the score by having multiple
- You can add anything else you want to record by adding your own key-value pairs.
To generate a layer file for the ATT&CK Navigator based on the technique administration file, you can run the following command:
python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml -l
You can generate an Excel sheet containing all information within the YAML file on your detections:
python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml --excel
- Home
- Introduction
- Installation and requirements
- Getting started / How to
- Changelog
- Future developments
- ICS - Inconsistencies
- Introduction
- DeTT&CT data sources
- Data sources per platform
- Data quality
- Scoring data quality
- Improvement graph