Skip to content

YAML administration techniques_v1_0

Jump to bottom
ruben edited this page Nov 1, 2023 · 9 revisions

In this YAML file you can administrate your detection and visibility scores per ATT&CK technique. Among others, based on this information DeTT&CT can generate layer files for the ATT&CK Navigator to show an overview of your detection and visibility coverage.

Sample file: techniques-administration-endpoints.yaml

Current version: version 1.2

File content:

Name Type Required Description
version string yes Version of this technique administration file. The current version is 1.2.
file_type string yes Used to indicate what type of YAML file it is. Possible values: data-source-administration, technique-administration and group-administration. For techniques administration the value should be: techniques-administration.
name string yes Describes for what type of assets you are describing the techniques for. E.g. endpoints.
platform string yes Indicates the type of platform you are describing the techniques for. Possible values in the list are the MITRE ATT&CK platform values: all, Linux, macOS, Windows.
techniques list with technique objects yes Administration of detection and visibility for each technique. See the description of the technique object below.

Technique object:

Name Type Required Description
technique_id string yes The technique ID according to MITRE ATT&CK. E.g. T1055.012.
detection detection object yes Detection object containing information on the detection and score. See the description of the detection object below.
visibility visibility object yes Visibility object containing the visibility score. See the description of the visibility object below.

Detection object:

Name Type Required Description
date_registered date yyyy-mm-dd yes Date of registration of the detection information.
date_implemented date yyy-mm-dd yes Date when the detection was implemented. This date is used to draw a graph indicating the progress of your detection capabilities.
score int yes Score between -1 and 5. Scoring detection is explained in a separate section.
location list of strings yes The location where your detection is residing. E.g. your SIEM product or a specific ID or name of a use case/detection.
comment string yes An option to comment on the detection for this technique.

Visibility object:

Name Type Required Description
score int yes Score between 0 and 4. Scoring visibility is explained in a separate section.
comment string yes An option to comment on the visibility for this technique.

Overview

  1. Home
  2. Introduction
  3. Installation and requirements
  4. Getting started / How to
  5. Changelog
  6. Future developments
  7. ICS - Inconsistencies

Data sources

  1. Introduction
  2. DeTT&CT data sources
  3. Data sources per platform
  4. Data quality
  5. Scoring data quality
  6. Improvement graph

Visibility Coverage

  1. Introduction
  2. Scoring visibility
  3. Improvement graph

Detection coverage

  1. Introduction
  2. Scoring detection
  3. Improvement graph

Threat actor group mapping

  1. Introduction

YAML administration files

  1. Introduction
  2. Data sources
  3. Techniques
  4. Groups
  5. DeTT&CT Editor
Clone this wiki locally