Page Comparison

...

Rw ui textbox macro
type info
Multitenancy When accessing the parent domain in a multitenant structure, there is a dropdown where you can select the different domains at any moment in case you want to check their specific activity . Image Removed

Using the application

You can see the entire MITRE ATT&CK matrix for all techniques that are possible. Not all are valid for signature-based alerts or SIEM technology. The entire matrix helps you to understand the full breadth of attack techniques that threat actors can use for further investigation. 

Image Removed

You can also filter by threat coverage and threat group, the latter lets you select multiple threat groups that the MITRE organization is tracking. By selecting one or more threat groups the matrix is filtered to only the tactic and techniques the selected threat group uses. From there you can assess their MITRE ATT&CK coverage for the specific set of threat groups.

Image Removed

View additional information about tactics or techniques by hovering over the information icons in the matrix.

Export coverage to PDF

You can export a PDF of your alert coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.

Image Removed

Enterprise matrix

Just as in the MITRE ATT&CK matrix, in the Alert Coverage and Log Source coverage tabs, you can use the Enterprise matrix filter to narrow down to a specific platform (windows, macOS, etc).

Image Removed

Sub-techniques

Understand more about the sub-techniques behind techniques and identify areas where your organization might need additional protection. MITRE ATT&CK Techniques outline a particular way to achieve the goal of a tactic and a MITRE ATT&CK Technique might also include sub-techniques. These are particular ways to carry out the activities outlined in the technique. For example, the Brute Force Technique for Credential Access in the Enterprise Matrix has four sub-techniques:

• Password guessing

• Password cracking

• Password spraying

• Credential stuffing

All of these sub-techniques are ways to carry out the main technique but take advantage of different mechanisms to do so.

Image Removed

Click on a tactic or technique and understand the detections that are available for their Devo domain. Click on the tactic and technique card and the table at the bottom of the screen updates to show the alerts that are relevant. You can also filter to specific tactics and techniques within the table, as well as use a text search to find specific tactics, techniques, or alert names. 

Image Removed

Image Removed

Install alert

Take action directly from the application to improve coverage of your organization against MITRE ATT&CK by adding an alert installation action to the table. The installation action is allowed for all domains and uses the same mechanism as the SecOps content manager to improve coverage. The alert can be uninstalled at any point.

The application conducts checks for the action, the first being to ensure that the data source is being ingested into the domains. The second verify that the alert that adds to the coverage is a custom alert. If this is the case, the actions are disabled as there is no management API for the alerts. These alerts need to be managed by the end users. Note that when alerts are installed, they should be tuned and refined to the specific organization.

Image Removed

Rw ui tabs macro
Rw tab title Alert coverage Alert coverage overview For Alert coverage, you are greeted by the MITRE ATT&CK matrix, which maps Devo's out-of-the-box detection library. The tactic tiles are color-coded according to the number of techniques that have some alerts installed for them in the Devo domain. The technique tiles are color-coded according to the number of alerts that are installed for that given technique in the Devo domain out of all the alerts that are available for installation. Located in the top-right corner is the coverage scale percentage. This allows you to understand your alert and log source coverage at a glance with a percentage calculation. This percentage varies according to the different filters that are applied. The coverage scale in the Alert coverage page works using the % of installed alerts compared to available alerts to color code as follows:
Image Removed	Between 0% - 24.99%	Image Removed
Image Removed	25% - 75%
Image Removed	75.01% - 99.99%
Image Removed	100%
Image Removed

Image Removed

The application now supports alerts being mapped to multiple tactics and techniques. The application pulls and maps them to the matrix, correctly displaying the coverage. Use the MitreAlertsExtendedDefinition lookup to add the additional entries. It is available to download below:

Furthermore, the table at the bottom of the Alert coverage screen shows multiple tactics and techniques by expanding the field within that column for an alert. Viewing the information in the table improves coverage across the matrix.

Alert heatmap overview

The Alert Heatmap allows you to see the concentration of fired alerts per technique and tactic for a specific period of time.

The matrix will use the technique, tactic or alert with the most alerts as the basis to calculate the density and color coding for the fired alerts. See the following examples.

Technique example 1

In this example, the highest number of alerts fired for all techniques is 300.

Technique A

300

100.00%

between 75% and 100% of the technique with the most alerts

Technique B

250

83.33%

between 75% and 100% of the technique with the most alerts

Technique C

200

66.67%

between 50% and 74.99% of the technique with the most alerts

Technique D

150

50.00%

between 50% and 74.99% of the technique with the most alerts

Technique E

100

33.33%

between 25% and 49.99% of the technique with the most alerts

Technique F

50

16.67%

between 0% and 24.99% of the technique with the most alerts

Technique G

25

8.33%

between 0% and 24.99% of the technique with the most alerts

Technique H

10

3.33%

between 0% and 24.99% of the technique with the most alerts

Technique example 2

In this example, the highest number of alerts fired for all techniques is 1000.

Technique A

1000

100.00%

between 75% and 100% of the technique with the most alerts

Technique B

500

50.00%

between 50% and 74.99% of the technique with the most alerts

Technique C

400

40.00%

between 25% and 49.99% of the technique with the most alerts

Technique D

300

30.00%

between 25% and 49.99% of the technique with the most alerts

Technique E

100

10.00%

between 0% and 24.99% of the technique with the most alerts

Technique F

50

5.00%

between 0% and 24.99% of the technique with the most alerts

Technique G

25

2.50%

between 0% and 24.99% of the technique with the most alerts

Technique H

10

1.00%

between 0% and 24.99% of the technique with the most alerts

Tactic example

In this example, the highest number of alerts fired for all tactics is 1000.

Tactic A

1000

100.00%

between 75% and 100% of the tactic with the most alerts

Tactic B

500

50.00%

between 50% and 74.99% of the tactic with the most alerts

Tactic C

300

30.00%

between 25% and 49.99% of the tactic with the most alerts

Tactic D

150

15.00%

between 0% and 24.99% of the tactic with the most alerts

Tactic E

100

10.00%

between 0% and 24.99% of the tactic awith the most alerts

Alerts example

In this example, the highest number of alerts fired for individual alerts is 100.

Tactic A

100

100.00%

between 75% and 100% of the alert with the most alerts

Tactic B

80

80.00%

between 75% and 100% of the alert with the most alerts

Tactic C

50

50.00%

between 50% and 74.99% of the alert with the most alerts

Tactic D

26

26.00%

between 25% and 49.99% of the alert with the most alerts

Tactic E

2

2.00%

between 0% and 24.99% of the alert with the most alerts

Log source coverage overview

Under the Log source coverage page you can assess your coverage against the MITRE ATT&CK matrix based on the log sources you are currently ingesting. The log sources are mapped based on alert definitions in the system, so that if an alert has a “Persistence”  tactic and an “Account Manipulation” technique, the corresponding log sources / Devo table used by the alert is mapped to that tactic and technique in the Log source coverage section of the application.    

Coverage in the Log source coverage page is done by measuring the total number of log sources currently ingesting data compared with the total number of log sources for the current tactic or technique. The coverage scale works as follows:

Image Removed

Between 0% - 24.99%

Image Removed

Image Removed

25% - 75%

Image Removed

75.01% - 99.99%

Image Removed

100%

Image Removed

Image Removed

Export coverage to PDF

You can export a PDF of your log source coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.

Image Removed

Available log sources

The bottom of the Log Source Coverage screen displays all the available log sources and whether they are ingesting or not. You can view current or new tactics and techniques that would be covered if they were to add specific log sources.

Image Removed

Enterprise matrix

You can also use the Enterprise Matrix filter to narrow down to a specific platform (windows, macOS, etc).

Image Removed

info here).

Image Added

Using the application