Alert coverage
- Borja Moro Moreno
- Jonas Gonzalez
Overview
About the matrix
For the Alert coverage tab, you are greeted by the MITRE ATT&CK matrix, which maps Devo's out-of-the-box detection library.
The tactic tiles are color-coded based on the number of techniques with some alerts installed for them in the Devo domain. The technique tiles are color-coded based on the number of alerts installed for that given technique in the Devo domain, out of all the alerts available for installation.
View additional information about techniques by hovering over the information or warning icons in the matrix.
About coverage
Located in the top-right corner is the coverage scale percentage, which allows you to understand your alert coverage at a glance. This percentage works using the % of installed alerts compared to available alerts and varies according to the different filters you apply to visualize the matrix.
You can export a PDF of your alert coverage by clicking on the Export to PDF button, located in the top right corner of the screen. A PDF of the matrix is saved to your device.
 |
|
Work with the matrix
Show full matrix
As not all techniques are valid for signature-based alerts or SIEM technology, the default matrix view shows only those that are possible.
Showing the entire matrix helps you to understand the full breadth of attack techniques that threat actors can use for further investigation (unavailable techniques will be shown in gray).
Show subtechniques
MITRE ATT&CK Techniques outline a particular way to achieve the goal of a tactic and might also include sub-techniques, particular ways to carry out the activities outlined in the technique.
For example, the Brute Force Technique for Credential Access in the Enterprise Matrix has four sub-techniques. All of them are ways to carry out the main technique but take advantage of different mechanisms to do so.
Password guessing
Password cracking
Password spraying
Credential stuffing
The option to show all subtechniques helps you understand more about the sub-techniques behind techniques and identify areas where your organization might need additional protection. You can also click the expandable in each tile to hide or show the subtechniques manually.
Filter by enterprise matrix and log source
Just as in the MITRE ATT&CK matrix, you can use the Enterprise matrix filter to narrow down to a specific platform (windows, macOS, etc). You can also focus on specific technologies or products using the Log source filter.
Filter by threat coverage and group
You can also filter by threat coverage and threat group, the latter lets you select multiple threat groups that the MITRE organization is tracking. By selecting one or more threat groups the matrix is filtered to only the tactic and techniques the selected threat group uses. From there you can assess their MITRE ATT&CK coverage for the specific set of threat groups.
Work with alerts
Alert filtering
At the bottom of the screen you can see all the alerts available in the domain, as well as their status, details and management options. By clicking on a technique card, the table under the MITRE Matrix that includes only this card’s associated alerts is automatically retrieved.
Tables can be filtered by column, as shown below. You can also use the column text searches to find alerts that contain a given string in a specific column, and enhancing the search by choosing any of the following restrictions: 'Contains', 'Does not contain', 'Equals', 'Does not equal', 'Begins with', 'Ends with', 'Is blank', and 'Is not blank'.
Install and enable alerts
Take action directly from the application to improve coverage of your organization against MITRE ATT&CK. The installation is allowed for all domains and uses the same mechanism as the SecOps content manager to improve coverage.
The application performs various checks for the action. Firstly, it verifies that the data source is being ingested into the domains to enable the action. Secondly, it validates whether the alert contributing to the coverage is a custom alert. If this condition is met, the actions are deactivated since there is no management API available for these alerts, leaving their management to end users. It's important to note that upon installation of alerts, they should be customized and optimized according to the specific needs of each organization.
Unknown source and empty fields
You may see alerts with an unknown source and empty query and descriptions. Either you need to update your secopsalertdescription lookup in Exchange, or access Lookup management and delete the custom alerts added to the secopsalertdescription lookup.
Â
To install an alert, simply click on the Install button on the corresponding alert row:
Once installed, alerts must be enabled ('Active' column) to start running in search of threats and increate coverage in the matrix. Simply click the toggle on the corresponding alert row.
Define custom alerts
The application also supports the mapping of custom alerts through the SecOpsAlertDescription lookup. Simply add your detections to the system via Data search or Alert configuration and then add the necessary fields to the lookup for that alert.
Map alerts to multiple tactics and techniques
The application now supports alerts being mapped to multiple tactics and techniques. To do that, use the MitreAlertsExtendedDefinition lookup to add the additional entries ().
Once added, detections are pulled and mapped to the matrix, correctly displaying the coverage. The alerts in the table at the bottom are also updated, including all the tactics and techniques associated (you can expand a tactic or technique cell to show all that are assigned to that alert).
Also in the SecOpsAlertDescription lookup
In order to use the MitreAlertsExtendedDefinition the alert must also be inside of the SecOpsAlertDescription lookup.
Update alerts
Alerts provided by Devo are constantly kept up to date with the latest MITRE ATT&CK versions, parser field changes, query operators, etc. These changes are push to each Devo domain on a periodic basis to ensure having the latest in detection.Â
Users are able to update their alerts for their existing coverage. Whenever there is a new version of a detection, an Update button appear next to the Uninstall button. When that’s the case, there’s also a button to compare the old and new versions and see what the changes are, giving users confidence about the changes being performed by the update.
Â
Bulk actions
Actions such as enabling, disabling, installing, uninstalling, or updating alerts can be performed in bulk to save you time and optimize the process. Mark the checkboxes of the desired alerts and use the menu next to the master checkbox at the top, which shows the available actions for the alerts selected.
Â
Related articles:
Â