Page Comparison

...

Rw ui textbox macro
type info
Multitenancy When accessing the parent domain in a multitenant structure, there is a dropdown where you can select the different domains at any moment in case you want to check their specific activity . Image Removed

Using the application

You can see the entire MITRE ATT&CK matrix for all techniques that are possible. Not all are valid for signature-based alerts or SIEM technology. The entire matrix helps you to understand the full breadth of attack techniques that threat actors can use for further investigation. 

Image Removed

You can also filter by threat coverage and threat group, the latter lets you select multiple threat groups that the MITRE organization is tracking. By selecting one or more threat groups the matrix is filtered to only the tactic and techniques the selected threat group uses. From there you can assess their MITRE ATT&CK coverage for the specific set of threat groups.

Image Removed

View additional information about tactics or techniques by hovering over the information icons in the matrix.

Export coverage to PDF

You can export a PDF of your alert coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.

Image Removed

Enterprise matrix

Just as in the MITRE ATT&CK matrix, in the Alert Coverage and Log Source coverage tabs, you can use the Enterprise matrix filter to narrow down to a specific platform (windows, macOS, etc).

Image Removed

Sub-techniques

Understand more about the sub-techniques behind techniques and identify areas where your organization might need additional protection. MITRE ATT&CK Techniques outline a particular way to achieve the goal of a tactic and a MITRE ATT&CK Technique might also include sub-techniques. These are particular ways to carry out the activities outlined in the technique. For example, the Brute Force Technique for Credential Access in the Enterprise Matrix has four sub-techniques:

• Password guessing

• Password cracking

• Password spraying

• Credential stuffing

All of these sub-techniques are ways to carry out the main technique but take advantage of different mechanisms to do so.

Image Removed

Click on a tactic or technique and understand the detections that are available for their Devo domain. Click on the tactic and technique card and the table at the bottom of the screen updates to show the alerts that are relevant. You can also filter to specific tactics and techniques within the table, as well as use a text search to find specific tactics, techniques, or alert names. 

Image Removed

Image Removed

Install alert

Take action directly from the application to improve coverage of your organization against MITRE ATT&CK by adding an alert installation action to the table. The installation action is allowed for all domains and uses the same mechanism as the SecOps content manager to improve coverage. The alert can be uninstalled at any point.

The application conducts checks for the action, the first being to ensure that the data source is being ingested into the domains. The second verify that the alert that adds to the coverage is a custom alert. If this is the case, the actions are disabled as there is no management API for the alerts. These alerts need to be managed by the end users. Note that when alerts are installed, they should be tuned and refined to the specific organization.

Image Removed

Rw ui tabs macro
Rw tab title Alert coverage Alert coverage overview For Alert coverage, you are greeted by the MITRE ATT&CK matrix, which maps Devo's out-of-the-box detection library. The tactic tiles are color-coded according to the number of techniques that have some alerts installed for them in the Devo domain. The technique tiles are color-coded according to the number of alerts that are installed for that given technique in the Devo domain out of all the alerts that are available for installation. Located in the top-right corner is the coverage scale percentage. This allows you to understand your alert and log source coverage at a glance with a percentage calculation. This percentage varies according to the different filters that are applied. The coverage scale in the Alert coverage page works using the % of installed alerts compared to available alerts to color code as follows:
Image Removed	Between 0% - 24.99%	Image Removed
Image Removed	25% - 75%
Image Removed	75.01% - 99.99%
Image Removed	100%
Image Removed

Image Removed

Image Removed

The application now supports alerts being mapped to multiple tactics and techniques. The application pulls and maps them to the matrix, correctly displaying the coverage. Use the MitreAlertsExtendedDefinition lookup to add the additional entries. It is available to download below:

Furthermore, the table at the bottom of the Alert coverage screen shows multiple tactics and techniques by expanding the field within that column for an alert. Viewing the information in the table improves coverage across the matrix.

Alert heatmap overview

The Alert Heatmap allows you to see the concentration of fired alerts per technique and tactic for a specific period of time.

The matrix will use the technique, tactic or alert with the most alerts as the basis to calculate the density and color coding for the fired alerts. See the following examples.

Technique example 1

In this example, the highest number of alerts fired for all techniques is 300.

Technique A

300

100.00%

between 75% and 100% of the technique with the most alerts

Technique B

250

83.33%

between 75% and 100% of the technique with the most alerts

Technique C

200

66.67%

between 50% and 74.99% of the technique with the most alerts

Technique D

150

50.00%

between 50% and 74.99% of the technique with the most alerts

Technique E

100

33.33%

between 25% and 49.99% of the technique with the most alerts

Technique F

50

16.67%

between 0% and 24.99% of the technique with the most alerts

Technique G

25

8.33%

between 0% and 24.99% of the technique with the most alerts

Technique H

10

3.33%

between 0% and 24.99% of the technique with the most alerts

Technique example 2

In this example, the highest number of alerts fired for all techniques is 1000.

Technique A

1000

100.00%

between 75% and 100% of the technique with the most alerts

Technique B

500

50.00%

between 50% and 74.99% of the technique with the most alerts

Technique C

400

40.00%

between 25% and 49.99% of the technique with the most alerts

Technique D

300

30.00%

between 25% and 49.99% of the technique with the most alerts

Technique E

100

10.00%

between 0% and 24.99% of the technique with the most alerts

Technique F

50

5.00%

between 0% and 24.99% of the technique with the most alerts

Technique G

25

2.50%

between 0% and 24.99% of the technique with the most alerts

Technique H

10

1.00%

between 0% and 24.99% of the technique with the most alerts

Tactic example

In this example, the highest number of alerts fired for all tactics is 1000.

Tactic A

1000

100.00%

between 75% and 100% of the tactic with the most alerts

Tactic B

500

50.00%

between 50% and 74.99% of the tactic with the most alerts

Tactic C

300

30.00%

between 25% and 49.99% of the tactic with the most alerts

Tactic D

150

15.00%

between 0% and 24.99% of the tactic with the most alerts

Tactic E

100

10.00%

between 0% and 24.99% of the tactic awith the most alerts

Alerts example

In this example, the highest number of alerts fired for individual alerts is 100.

Tactic A

100

100.00%

between 75% and 100% of the alert with the most alerts

Tactic B

80

80.00%

between 75% and 100% of the alert with the most alerts

Tactic C

50

50.00%

between 50% and 74.99% of the alert with the most alerts

Tactic D

26

26.00%

between 25% and 49.99% of the alert with the most alerts

Tactic E

2

2.00%

between 0% and 24.99% of the alert with the most alerts

Log source coverage overview

Under the Log source coverage page you can assess your coverage against the MITRE ATT&CK matrix based on the log sources you are currently ingesting. The log sources are mapped based on alert definitions in the system, so that if an alert has a “Persistence”  tactic and an “Account Manipulation” technique, the corresponding log sources / Devo table used by the alert is mapped to that tactic and technique in the Log source coverage section of the application.    

Coverage in the Log source coverage page is done by measuring the total number of log sources currently ingesting data compared with the total number of log sources for the current tactic or technique. The coverage scale works as follows:

Image Removed

Between 0% - 24.99%

Image Removed

Image Removed

25% - 75%

Image Removed

75.01% - 99.99%

Image Removed

100%

Image Removed

Image Removed

Export coverage to PDF

You can export a PDF of your log source coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.

Image Removed

Available log sources

The bottom of the Log Source Coverage screen displays all the available log sources and whether they are ingesting or not. You can view current or new tactics and techniques that would be covered if they were to add specific log sources.

Image Removed

Enterprise matrix

You can also use the Enterprise Matrix filter to narrow down to a specific platform (windows, macOS, etc).

Image Removed

The MITRE ATT&CK Adviser application is a multitenant enabled part of the Devo platform that enables visibility for multitenant Devo customers. The Tenant dropdown menu provided in the top bar of the application allows you to select between all domains or just a single domain that is managed by the parent domain the application is present in. 

The Tenant drop own impacts the view that is present on each part of the application, Alert coverage, Alert heatmap, and Log source coverage screens. If all tenants are selected as part of the dropdown then it will show based on all the child tenants where there is coverage, however if there is partial log source coverage across all of the domains a warning symbol will appear on the tile to warn you that only some of the domains have the log source ingesting for the specific technique. You can hover over the warning symbol to learn which domains do not have coverage for the given technique. 

Image Removed

The coverage value in the top right of each matrix adjusts based on the Tenant select so you know exactly the coverage within each domain. The Tenant drop down is only present if the application is deployed into a parent domain.

Image Removed

The MITRE ATT&CK Adviser application now supports MSSPs. The additional capabilities enable MSSPs to deploy the MITRE ATT&CK Adviser application at the parent domain level and have visibility into the child domain coverage. The application when deployed into a parent domain has a new client filter in the top bar of the application that enables the users to view across all domains and within each specific domain.

Image Removed

The drop-down can be adjusted on any tab of the application to filter by the specific domain in question or all domains under the parent domain.

If specific log sources are not being ingested into the domain for alerts that have been installed then there is a warning icon that is displayed on the technique tile to inform the user that there might be alert coverage, but not log source coverage.

Image Removed

Lastly, alerts can be installed from within the application only within the parent domain. MSSPs users must note that right now alerts cannot be pushed from the parent domain into the child domains. Alerts can be installed through the application when the “All clients” selection is made, however these alerts are installed at the parent domain level and will trigger based on the data in that domain and contain the client field to inform analysts of where they came. These alerts will not be visible to users in child domains.

Image Removed

The configuration section of the MITRE ATT&CK Adviser application enables you to customize the applicable Devo content for your MITRE ATT&CK coverage. The configuration section is available from the top menu bar of the application and is divided into Alerts and Log Source sections for user customization.  

If you want to customize which alerts from the Devo OOTB library count toward your alert coverage you can view the alert library categorized by the different MITRE ATT&CK techniques. For example, if an organization was not interested in “Active Scanning” technique then they would have the option of toggling the technique off, whether or not there were alerts installed for that given technique. You can alternatively drill into the technique and select individual alerts that you would like to toggle out of the alert coverage calculation. You can also exclude all alerts or specific alerts by log source by going to the log source page and drilling down.  

The alert page also enables you to filter the alerts based on several characteristics including log source and name search. These enable you to find specific detections faster and modify you coverage quicker.  

If you want to customize what log sources are counted towards your log source coverage then you can go to the Log Source section of application configuration. From there you are presented with the complete list of log sources and you can toggle specific log sources off that are not relevant to your organization. For example, if an organization never users GCP, all of the coverage with respect to GCP can be toggled off and no longer impact the coverage scores within the application. 

MITRE ATT&CK Adviser supports the creation of custom groups to be used within the application.  Custom groups enable customers to create: 

• Custom threat groups 

• Alert groups for data source not tracked by MITRE 

• Groups to track their custom alert coverage 

Custom threat groups help organizations take threat groups from other security vendors and add them into the MITRE ATT&CK Adviser to quickly assess coverage of threat groups that are not tracked by MITRE.  

Alert groups for data sources enable organizations to map alerts for specific data sources to a group to understand what coverage specific data sources are getting them. For example, if a customer wants to understand what coverage their AWS detections give them within Devo, they can create a group of their AWS alerts and quickly monitor their coverage. 

Creating a custom group to track alerts that have been created by the customer in a single location is useful to understand what coverage an organization has brought versus what Devo has provided. Alerts can also be separated into specific groups for home-grown applications or other reasons to track coverage on more specific parts of an organization’s data landscape 

Custom Threat Groups can be found in the App Configuration section of the MITRE ATT&CK Adviser application below: 

Image Removed

Custom Threat Groups can be created through the UI using the following fields: 

• ID - An additional identifier for the custom group that’s been created. 

• Name - The name of the custom group. 

• Description - Field that describes the purpose or details of the group. 

• Associated Threat Groups - Identifies the associated MITRE threat groups to the group that is being created.

• Techniques - Selects the techniques that are associated with the custom group that will enable MITRE ATT&CK matrix filtering and coverage calculations throughout the application.

• Alerts Used - Selects the alerts that are associated with the custom that will enable MITRE ATT&CK matrix filtering and coverage calculations throughout the application.

Image Removed

info here).

Image Added

Using the application