Document toolboxDocument toolbox

Multitenancy in MITRE ATTACK Adviser

Owned by Borja Moro Moreno
Last updated: Apr 15, 2024
2 min read
[ 1 About multitenancy and the tenant selector ] [ 2 About coverage ] [ 3 About alerts ]

About multitenancy and the tenant selector

The MITRE ATT&CK Adviser application is a multitenant enabled part of the Devo platform that enables visibility for multitenant Devo customers. The additional capabilities enable MSSPs to deploy the MITRE ATT&CK Adviser application at the parent domain level and have visibility into the child domain coverage.

When deployed into a parent domain, the application has a new tenant dropdown at the top bar of the application that enables the users to view across all domains and within each specific domain managed by the parent domain.

The Tenant dropdown is only present if the application is deployed into a parent domain and it impacts the view that is present on each part of the application, Alert coverage, Alert heatmap, and Log source coverage screens.

About coverage

The coverage value in the top right of each matrix adjusts based on the tenant selected so you know exactly the coverage within each domain. If all tenants are selected as part of the dropdown then it will show based on all the child tenants where there is coverage.

Log coverage: if there is partial log source coverage across all of the domains, a warning symbol will appear on the tile to warn you that only some of the domains have the log source ingesting for the specific technique. You can hover over the warning symbol to learn which domains do not have coverage for the given technique.

Alert coverage: if specific log sources are not being ingested into the domain for alerts that have been installed, there is a warning icon on the technique tile to inform the user that there might be alert coverage without log source coverage.

About alerts

Alerts can be installed only within the parent domain and cannot be pushed from the parent domain into the child domains.

Even though they are installed only for the parent domain and will trigger based on the parent domain data, they must be installed with the “All clients” option selected in the tenant dropdown.

These alerts contain the client field to inform analysts of the domain they come from but will not be visible to users in child domains.

 

Related articles: