Skip to content

Detection coverage

Jump to bottom
ruben edited this page Nov 1, 2023 · 12 revisions

It is essential for blue teams to have a good understanding of where they have detection, the level of detection and where they lack detection. Using the YAML techniques administration file you can administrate the level of detection you have on ATT&CK techniques.

Getting started

You can find a short explanation on how to get started scoring your detections to determine your detection coverage here.

What information can be recorded

You can record the following in the YAML techniques administration file:

  • The type of system(s) the detection applies to (e.g. Windows endpoints, Windows servers, Linux servers, crown jewel x, etc.).
    • You can have multiple detections per technique in the YAML file to allow detailed scoring of your detections per type of system. This can be achieved using the applicable_to property. See T1055 in the example file: techniques-administration-endpoints.yaml.
    • We recommend using the same applicable_to values between your technique and your data source administration file.
  • Where the detection resides.
  • A possible comment.
    • If you want to have a multiline comment in the Excel output. We recommend making use of |. For more info have a look at: https://yaml-multiline.info/.
  • The date when the detection was implemented or improved.
  • A detection score. More on this can be found here.
  • You can add anything else you want to record by adding your own key-value pairs.

Visualise in the ATT&CK Navigator

To generate a layer file for the ATT&CK Navigator based on the technique administration file, you can run the following command:

python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml -l
DeTT&CT - Detection coverage

Excel output

You can generate an Excel sheet containing all information within the YAML file on your detections:

python dettect.py d -ft sample-data/techniques-administration-endpoints.yaml --excel
DeTT&CT - Detections Excel output

Overview

  1. Home
  2. Introduction
  3. Installation and requirements
  4. Getting started / How to
  5. Changelog
  6. Future developments
  7. ICS - Inconsistencies

Data sources

  1. Introduction
  2. DeTT&CT data sources
  3. Data sources per platform
  4. Data quality
  5. Scoring data quality
  6. Improvement graph

Visibility Coverage

  1. Introduction
  2. Scoring visibility
  3. Improvement graph

Detection coverage

  1. Introduction
  2. Scoring detection
  3. Improvement graph

Threat actor group mapping

  1. Introduction

YAML administration files

  1. Introduction
  2. Data sources
  3. Techniques
  4. Groups
  5. DeTT&CT Editor
Clone this wiki locally