...
Rw ui textbox macro | ||
---|---|---|
| ||
Multitenancy When accessing the parent domain in a multitenant structure, there is a dropdown where you can select the different domains at any moment in case you want to check their specific activity . |
Using the application
Rw ui tabs macro | ||||
---|---|---|---|---|
Alert coverage overviewFor Alert coverage, you are greeted by the MITRE ATT&CK matrix, which maps Devo's out-of-the-box detection library. The tactic tiles are color-coded according to the number of techniques that have some alerts installed for them in the Devo domain. The technique tiles are color-coded according to the number of alerts that are installed for that given technique in the Devo domain out of all the alerts that are available for installation. Located in the top-right corner is the coverage scale percentage. This allows you to understand your alert and log source coverage at a glance with a percentage calculation. This percentage varies according to the different filters that are applied. The coverage scale in the Alert coverage page works using the % of installed alerts compared to available alerts to color code as follows: | ||||
Between 0% - 24.99% | ||||
25% - 75% | ||||
75.01% - 99.99% | ||||
100% |
Info |
---|
The application also supports the mapping of custom alerts through the SecOpsAlertDescription lookup. Simply add your detections to the system via Data search or Alert configuration and then add the necessary fields to the lookup for that alert. |
The application now supports alerts being mapped to multiple tactics and techniques. The application pulls and maps them to the matrix, correctly displaying the coverage. Use the MitreAlertsExtendedDefinition lookup to add the additional entries. It is available to download below:
View file | ||
---|---|---|
|
Note |
---|
In order to use the MitreAlertsExtendedDefinition the alert must also be inside of the SecOpsAlertDescription lookup. |
Furthermore, the table at the bottom of the Alert coverage screen shows multiple tactics and techniques by expanding the field within that column for an alert. Viewing the information in the table improves coverage across the matrix.
Rw tab | ||
---|---|---|
|
Alert heatmap overview
The Alert Heatmap allows you to see the concentration of fired alerts per technique and tactic for a specific period of time.
The matrix will use the technique, tactic or alert with the most alerts as the basis to calculate the density and color coding for the fired alerts. See the following examples.
Technique example 1
In this example, the highest number of alerts fired for all techniques is 300.
Technique A
300
100.00%
between 75% and 100% of the technique with the most alerts
Technique B
250
83.33%
between 75% and 100% of the technique with the most alerts
Technique C
200
66.67%
between 50% and 74.99% of the technique with the most alerts
Technique D
150
50.00%
between 50% and 74.99% of the technique with the most alerts
Technique E
100
33.33%
between 25% and 49.99% of the technique with the most alerts
Technique F
50
16.67%
between 0% and 24.99% of the technique with the most alerts
Technique G
25
8.33%
between 0% and 24.99% of the technique with the most alerts
Technique H
10
3.33%
between 0% and 24.99% of the technique with the most alerts
Technique example 2
In this example, the highest number of alerts fired for all techniques is 1000.
Technique A
1000
100.00%
between 75% and 100% of the technique with the most alerts
Technique B
500
50.00%
between 50% and 74.99% of the technique with the most alerts
Technique C
400
40.00%
between 25% and 49.99% of the technique with the most alerts
Technique D
300
30.00%
between 25% and 49.99% of the technique with the most alerts
Technique E
100
10.00%
between 0% and 24.99% of the technique with the most alerts
Technique F
50
5.00%
between 0% and 24.99% of the technique with the most alerts
Technique G
25
2.50%
between 0% and 24.99% of the technique with the most alerts
Technique H
10
1.00%
between 0% and 24.99% of the technique with the most alerts
Tactic example
In this example, the highest number of alerts fired for all tactics is 1000.
Tactic A
1000
100.00%
between 75% and 100% of the tactic with the most alerts
Tactic B
500
50.00%
between 50% and 74.99% of the tactic with the most alerts
Tactic C
300
30.00%
between 25% and 49.99% of the tactic with the most alerts
Tactic D
150
15.00%
between 0% and 24.99% of the tactic with the most alerts
Tactic E
100
10.00%
between 0% and 24.99% of the tactic awith the most alerts
Alerts example
In this example, the highest number of alerts fired for individual alerts is 100.
Tactic A
100
100.00%
between 75% and 100% of the alert with the most alerts
Tactic B
80
80.00%
between 75% and 100% of the alert with the most alerts
Tactic C
50
50.00%
between 50% and 74.99% of the alert with the most alerts
Tactic D
26
26.00%
between 25% and 49.99% of the alert with the most alerts
Tactic E
2
2.00%
between 0% and 24.99% of the alert with the most alerts
Rw tab | ||
---|---|---|
|
Log source coverage overview
Under the Log source coverage page you can assess your coverage against the MITRE ATT&CK matrix based on the log sources you are currently ingesting. The log sources are mapped based on alert definitions in the system, so that if an alert has a “Persistence” tactic and an “Account Manipulation” technique, the corresponding log sources / Devo table used by the alert is mapped to that tactic and technique in the Log source coverage section of the application.
Coverage in the Log source coverage page is done by measuring the total number of log sources currently ingesting data compared with the total number of log sources for the current tactic or technique. The coverage scale works as follows:
Between 0% - 24.99%
25% - 75%
75.01% - 99.99%
100%
Export coverage to PDF
You can export a PDF of your log source coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.
Available log sources
The bottom of the Log Source Coverage screen displays all the available log sources and whether they are ingesting or not. You can view current or new tactics and techniques that would be covered if they were to add specific log sources.
Enterprise matrix
You can also use the Enterprise Matrix filter to narrow down to a specific platform (windows, macOS, etc).
Rw tab | ||
---|---|---|
|
The MITRE ATT&CK Adviser application is a multitenant enabled part of the Devo platform that enables visibility for multitenant Devo customers. The Tenant dropdown menu provided in the top bar of the application allows you to select between all domains or just a single domain that is managed by the parent domain the application is present in.
The Tenant drop own impacts the view that is present on each part of the application, Alert coverage, Alert heatmap, and Log source coverage screens. If all tenants are selected as part of the dropdown then it will show based on all the child tenants where there is coverage, however if there is partial log source coverage across all of the domains a warning symbol will appear on the tile to warn you that only some of the domains have the log source ingesting for the specific technique. You can hover over the warning symbol to learn which domains do not have coverage for the given technique.
The coverage value in the top right of each matrix adjusts based on the Tenant select so you know exactly the coverage within each domain. The Tenant drop down is only present if the application is deployed into a parent domain.
The MITRE ATT&CK Adviser application now supports MSSPs. The additional capabilities enable MSSPs to deploy the MITRE ATT&CK Adviser application at the parent domain level and have visibility into the child domain coverage. The application when deployed into a parent domain has a new client filter in the top bar of the application that enables the users to view across all domains and within each specific domain.
The drop-down can be adjusted on any tab of the application to filter by the specific domain in question or all domains under the parent domain.
If specific log sources are not being ingested into the domain for alerts that have been installed then there is a warning icon that is displayed on the technique tile to inform the user that there might be alert coverage, but not log source coverage.
Lastly, alerts can be installed from within the application only within the parent domain. MSSPs users must note that right now alerts cannot be pushed from the parent domain into the child domains. Alerts can be installed through the application when the “All clients” selection is made, however these alerts are installed at the parent domain level and will trigger based on the data in that domain and contain the client field to inform analysts of where they came. These alerts will not be visible to users in child domains.
Rw tab | ||
---|---|---|
|
The configuration section of the MITRE ATT&CK Adviser application enables you to customize the applicable Devo content for your MITRE ATT&CK coverage. The configuration section is available from the top menu bar of the application and is divided into Alerts and Log Source sections for user customization.
If you want to customize which alerts from the Devo OOTB library count toward your alert coverage you can view the alert library categorized by the different MITRE ATT&CK techniques. For example, if an organization was not interested in “Active Scanning” technique then they would have the option of toggling the technique off, whether or not there were alerts installed for that given technique. You can alternatively drill into the technique and select individual alerts that you would like to toggle out of the alert coverage calculation. You can also exclude all alerts or specific alerts by log source by going to the log source page and drilling down.
The alert page also enables you to filter the alerts based on several characteristics including log source and name search. These enable you to find specific detections faster and modify you coverage quicker.
If you want to customize what log sources are counted towards your log source coverage then you can go to the Log Source section of application configuration. From there you are presented with the complete list of log sources and you can toggle specific log sources off that are not relevant to your organization. For example, if an organization never users GCP, all of the coverage with respect to GCP can be toggled off and no longer impact the coverage scores within the application. info here).
Using the application
Child pages (Children Display) | ||
---|---|---|
|