Log Source Evaluation
Introducing DeTTECT!


When managing out log sources, we must often evaluate them for their detection capabilities. We know that not all log sources are created equally, but how can we tell? Well we can do this two ways: First, we can see if ther are any standards of logging that we can hold our logs to. For example, if you are a Splunk user, you can use thier CIM, Common information Model to define all of the pertinent data points you need to log, (Per splunk's opinion).
Second, we can evaluate our logs by scoring and comparing your logs to known standards such as Mitre Attack, to determine the level and quality of detection coverage.


On of the best tools to help with this is DeTTECT. DeTTECT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage, and threat actor behaviors. All of which can help, in different ways, to get more resilient detection techniques against attacks targeting your organization. The DeTTECT framework consists of a Python tool, YAML administration files, the DeTTECT Editor, and scoring tables for the different aspects.
DeTTECT provides the following functionality:
  • Administrate and score the quality of your data sources.
  • Get insight on the visibility you have on for example endpoints.
  • Map your detection coverage.
  • Map threat actor behaviors.
  • Compare visibility, detections, and threat actor behaviors to uncover possible improvements in detection and visibility. This can help you to prioritize your blue teaming efforts.
DeTTECT Resources


This is an amazing tool written by the Sysmon Guru Olaf Hartong, for mapping data sources and their tracked events to Mitre coverage.