πŸ”
πŸ”
πŸ”
πŸ”
s0cm0nkey's Security Reference Guide
Search…
All of the Best Links and Resources on Cyber Security.
Cyber Intelligence
Red - Offensive Operations
Red - Web App Hacking
Blue - Defensive Operations
Blue - DFIR: Digital Forensics and Incident Response
Yellow - NetEng/SysAdmin
Cloud
Containers
Logging and Security Architecture
How create a logging strategy
Logging - Network Services
Logging - Endpoint Logs
Logging - User Behavior Monitoring
Logging - Cloud
Device Discovery and Asset Monitoring
Log Source Evaluation
Yellow - Code and CLI
Grey - Privacy/TOR/OPSEC
Training and Resources
Powered By GitBook
Log Source Evaluation
Introducing DeTTECT!

Intro

When managing out log sources, we must often evaluate them for their detection capabilities. We know that not all log sources are created equally, but how can we tell? Well we can do this two ways: First, we can see if ther are any standards of logging that we can hold our logs to. For example, if you are a Splunk user, you can use thier CIM, Common information Model to define all of the pertinent data points you need to log, (Per splunk's opinion).
Second, we can evaluate our logs by scoring and comparing your logs to known standards such as Mitre Attack, to determine the level and quality of detection coverage.

DeTTECT

On of the best tools to help with this is DeTTECT. DeTTECT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage, and threat actor behaviors. All of which can help, in different ways, to get more resilient detection techniques against attacks targeting your organization. The DeTTECT framework consists of a Python tool, YAML administration files, the DeTTECT Editor, and scoring tables for the different aspects.
DeTTECT provides the following functionality:
  • Administrate and score the quality of your data sources.
  • Get insight on the visibility you have on for example endpoints.
  • Map your detection coverage.
  • Map threat actor behaviors.
  • Compare visibility, detections, and threat actor behaviors to uncover possible improvements in detection and visibility. This can help you to prioritize your blue teaming efforts.
DeTTECT Resources

ATTACKDataMap

This is an amazing tool written by the Sysmon Guru Olaf Hartong, for mapping data sources and their tracked events to Mitre coverage.

Misc

Previous
Device Discovery and Asset Monitoring
Next
Yellow - Code and CLI
Last modified 1mo ago
Copy link
Contents
Intro
DeTTECT
ATTACKDataMap
Misc