YAML administration techniques_v1_1

In this YAML file you can administrate your detection and visibility scores per ATT&CK technique. Among others, based on this information DeTT&CT can generate layer files for the ATT&CK Navigator to show an overview of your detection and visibility coverage.

Sample file: techniques-administration-endpoints.yaml

Current version: version 1.2

File content:

Name	Type	Required	Description
version	string	yes	Version of this technique administration file. The current version is 1.2.
file_type	string	yes	Used to indicate what type of YAML file it is. Possible values: data-source-administration, technique-administration and group-administration. For techniques administration the value should be: techniques-administration.
name	string	yes	Describes for what type of assets you are describing the techniques for. E.g. endpoints.
platform	string	yes	Indicates the type of platform you are describing the techniques for. Possible values in the list are the MITRE ATT&CK platform values: all, Linux, macOS, Windows.
techniques	list with technique objects	yes	Administration of detection and visibility for each technique. See the description of the technique object below.

Technique object:

Name	Type	Required	Description
technique_id	string	yes	The technique ID according to MITRE ATT&CK. E.g. T1055.012.
technique_name	string	no	The technique name according to MITRE ATT&CK. E.g. Process Injection: Process Hollowing.
detection	detection object	yes	Detection object(s) containing information on the detection and score. See the description of the detection object below. When having multiple detections this becomes a list of detection objects. See T1055 in the example file: techniques-administration-endpoints.yaml.
visibility	visibility object	yes	Visibility object(s) containing the visibility score. See the description of the visibility object below. When having multiple visibility objects this becomes a list.

Detection object:

You can have multiple detection objects within a technique object for a different type of systems (e.g. Windows endpoints, Windows servers, Linux servers, crown jewel x, etc.). The type of system(s) the score applies to is indicated by the key-value pair applicable_to.

Name	Type	Required	Description
applicable_to	list of strings	yes	Specify to which type of system this detection applies to. Use the value ['all'] to let it apply to every type of system.
date_registered	date yyyy-mm-dd	yes	Date of registration of the detection information.
date_implemented	date yyyy-mm-dd	yes	Date when the detection was implemented. This date is used to draw a graph indicating the progress of your detection capabilities.
score	int	yes	Score between -1 and 5. Scoring detection is explained in a separate section.
location	list of strings	yes	The location where your detection is residing. E.g. your SIEM product or a specific ID or name of a use case/detection.
comment	string	yes	An option to comment on the detection for this technique. If you want to have a multiline comment in the Excel output. We recommend making use of |. For more info have a look at: https://yaml-multiline.info/.

Visibility object:

You can have multiple visibility objects within a technique object for a different type of systems (e.g. Windows endpoints, Windows servers, Linux servers, crown jewel x, etc.). The type of system(s) the score applies to is indicated by the key-value pair applicable_to.

Name	Type	Required	Description
applicable_to	list of strings	yes	Specify to which type of system the visibility and its score apply to. Use the value ['all'] to let it apply to every type of system.
score	int	yes	Score between 0 and 4. Scoring visibility is explained in a separate section.
comment	string	yes	An option to comment on the visibility for this technique. If you want to have a multiline comment in the Excel output. We recommend making use of |. For more info have a look at: https://yaml-multiline.info/.