App configuration
Overview
The configuration section of the MITRE ATT&CK Adviser application enables you to customize the applicable Devo content for your MITRE ATT&CK coverage. The configuration section is available from the top menu bar of the application and is divided into Techniques/Alerts, Log Source/Alerts, and Threat/Custom groups sections.
Techniques/Alerts
This section shows information about all techniques and the related alerts that are installed, available, and included in the coverage calculation.
You can customize the alert coverage calculation by excluding or including alerts. For example, if an organization is not interested in “Active Scanning” technique, they have the option of toggling the technique off, whether or not there were alerts installed for that given technique.
If you want to customize which alerts from the Devo OOTB library count toward your alert coverage you can simply disable them by using the toggle of the corresponding technique row.
You can also drill into the technique and select individual alerts that you would like to toggle out of the alert coverage calculation. To go back to the list, simply click on the back button next to the technique name at the top.
You can also exclude alerts by log source in the log source tab (see section below).
Note that disabling them does not deactivate or uninstall them, only remove them from the coverage calculation.
The alert page allows you to filter the alerts by column based on several characteristics including tactic and technique. The alert name filter allows setting the search criteria. This enables you to quickly locate specific detections and make coverage adjustments more efficiently.
Log sources/Alerts
This section shows information about all log sources included in the coverage calculation, as well as the related alerts that are installed, available, and included.
You can customize the log source coverage calculation by excluding or including log sources. For example, if an organization never users GCP, all of the coverage with respect to GCP can be toggled off and no longer impact the coverage scores within the application.
If you want to customize what log sources are counted towards your log source coverage, you can simply disable them by using the toggle of the corresponding row.
You can also drill into the log source and select individual alerts that you would like to toggle out of the alert coverage calculation (not the log source coverage). To go back to the list, simply click on the back button next to the technique name at the top.
The log source page allows you to filter the logs based on several characteristics including log source,, technology, and status. This helps you to quickly locate specific log sources and make coverage adjustments more efficiently.
Threat/Custom groups
MITRE ATT&CK Adviser supports the creation of custom groups to be used within the application. Custom groups enable customers to create:
Custom threat groups: custom threat groups help organizations take threat groups from other security vendors and add them into the MITRE ATT&CK Adviser to quickly assess coverage of threat groups that are not tracked by MITRE.
Alert groups for data source not tracked by MITRE: alert groups for data sources enable organizations to map alerts for specific data sources to a group to understand what coverage specific data sources are getting them. For example, if a customer wants to understand what coverage their AWS detections give them within Devo, they can create a group of their AWS alerts and quickly monitor their coverage.
Groups to track their custom alert coverage: creating a custom group to track alerts that have been created by the customer in a single location is useful to understand what coverage an organization has brought versus what Devo has provided. Alerts can also be separated into specific groups for home-grown applications or other reasons to track coverage on more specific parts of an organization’s data landscape
Custom Threat Groups can be found in the App Configuration section of the MITRE ATT&CK Adviser application, and filtered by column.
Custom Threat Groups can be created through the UI using by clicking the green button at the top right (Create threat / custom group). Then you need to fill out the following fields:
ID - An additional identifier for the custom group that’s been created.
Name - The name of the custom group.
Description - Field that describes the purpose or details of the group.
Associated Threat Groups - Identifies the associated MITRE threat groups to the group that is being created.
Techniques - Selects the techniques that are associated with the custom group that will enable MITRE ATT&CK matrix filtering and coverage calculations throughout the application.
Alerts Used - Selects the alerts that are associated with the custom that will enable MITRE ATT&CK matrix filtering and coverage calculations throughout the application.
Custom log sources
This tab shows a list with all the tables in your domain that are automatically mapped into tactics and techniques within the MITRE framework, including details about their current mapping. The list can also be filtered by column.
Here you can assign currently ingested tables to tactics and techniques within the MITRE ATT&CK Framework but not remove those that are automatically mapped. To customize a table mapping:
Click the pencil icon at the end of the row to open the mapping menu.
Click the Add mapping button to add an additional row inside the Assigned tactics/techniques area.
To remove a row, click the trash can button (this button is grayed out for automatic mappings).Click on the Tactic dropdown and select one.
Clicking the dropdown again will let you choose a different one.Click on the Technique dropdown and select as many as you want.
To remove one of them, click on the X sign next to each of them.
Te remove all of them, click on the X sign of the technique boxClick Assign when you finish.
Related articles: