A datasource assessment on an event level to show potential coverage of the “MITRE ATT&CK” framework.
This tool is developed by me and has no affiliation with “MITRE” nor with its great “ATT&CK” team, it is developed with the intention to ease the mapping of data sources to assess one’s potential coverage.
These scores will depict the potential value of the data source in finding more information about the technique, not everything is useful for detection rules. Some will be more useful for hunting or even only in Incident response.
This assessment will not be all covering, not will it be super exact on all levels. I’ve made the choice in favor of usability to not add weights to each individual event per technique, this would make it unusable for most people.
Opening the file will take you to the DataSourceEvents worksheet. This is the most important page of the document in terms of scoring and maintaining.
The sheet contains the DataSource and Events, of which you can add as much as you like. Next to that are three subscores for Completeness, Timeliness, and Availability, which result in the score for that Event.
Scoring your events is relatively straight forward, the legend is also included in the document on the RatingLegend page. I’ve tried to make this as simple as possible by using a 0–5 system. The total score is based on (2 * Completeness + Timeliness + 2 * Availability / 5) My rationale being the timeliness is less crucial than the other two, but should obviously be accounted for in the creation of hunts or detection rules.
Since not every data source is as important to each individual technique I decided to rate them by assigning a weight to them on a scale of 0–100, where the total should sum up to 100. This workbook can be edited, the weighing is based on my knowledge and experience. Pull requests are always welcome with improvements.
I’ve been keeping track of a lot of logs, most of the relevant logs I’ve added to a workbook for easy reference;
git clone https://github.com/olafhartong/ATTACKdatamap.git
More details in a blog post here
Copyright (C) 2019 olafhartong