Changed the platform and/or added some comments

master
Marcus Bakker 2020-02-10 07:39:11 +01:00
parent 743ba247aa
commit 4df0887070
3 changed files with 149 additions and 193 deletions

View File

@ -4,7 +4,9 @@ version: 1.0
file_type: data-source-administration
name: empty-data-source-admin-file
# Fill in the correct MITRE ATT&CK enterprise platform(s). Multiple can be included using a list
# (Windows, Linux, macOS, AWS, GCP, Azure, Azure AD, Office 365, SaaS)
# - (Windows, Linux, macOS, AWS, GCP, Azure, Azure AD, Office 365, SaaS)
# Also, take into account which data sources are applicable per platform. For more info see:
# - https://github.com/rabobank-cdc/DeTTECT/wiki/Data-sources-per-platform
platform:
data_sources:
# A data source is treated as not available when all dimensions of the data quality have a score of 0.

View File

@ -3,7 +3,9 @@
version: 1.0
file_type: data-source-administration
name: endpoints-example
platform: Windows
platform: ['Windows', 'Azure', 'Azure AD', 'Office 365']
# The list only contains data sources that are applicable to the above platforms. For more info see:
# - https://github.com/rabobank-cdc/DeTTECT/wiki/Data-sources-per-platform
data_sources:
# A data source is treated as not available when all dimensions of the data quality have a score of 0.
# If desired you are free to add any key-value pairs.
@ -619,30 +621,6 @@ data_sources:
timeliness: 5
consistency: 5
retention: 4
- data_source_name: AWS CloudTrail logs
date_registered:
date_connected:
products: []
available_for_data_analytics: False
comment: ''
data_quality:
device_completeness: 0
data_field_completeness: 0
timeliness: 0
consistency: 0
retention: 0
- data_source_name: AWS OS logs
date_registered:
date_connected:
products: []
available_for_data_analytics: False
comment: ''
data_quality:
device_completeness: 0
data_field_completeness: 0
timeliness: 0
consistency: 0
retention: 0
- data_source_name: Azure OS logs
date_registered: 2019-11-01
date_connected: 2019-11-01
@ -658,7 +636,7 @@ data_sources:
- data_source_name: Azure activity logs
date_registered: 2019-11-01
date_connected: 2019-11-01
products: [Log Analytics agent]
products: [Azure]
available_for_data_analytics: True
comment: ''
data_quality:
@ -667,22 +645,10 @@ data_sources:
timeliness: 5
consistency: 5
retention: 3
- data_source_name: OAuth audit logs
date_registered:
date_connected:
products: []
available_for_data_analytics: False
comment: ''
data_quality:
device_completeness: 0
data_field_completeness: 0
timeliness: 0
consistency: 0
retention: 0
- data_source_name: Office 365 account logs
date_registered: 2019-11-01
date_connected: 2019-11-01
products: [Microsoft Cloud App Security]
products: [O365]
available_for_data_analytics: True
comment: ''
data_quality:
@ -694,7 +660,7 @@ data_sources:
- data_source_name: Office 365 audit logs
date_registered: 2019-11-01
date_connected: 2019-11-01
products: [Microsoft Cloud App Security]
products: [O365]
available_for_data_analytics: True
comment: ''
data_quality:
@ -704,29 +670,17 @@ data_sources:
consistency: 5
retention: 3
- data_source_name: Office 365 trace logs
date_registered:
date_connected:
products: []
available_for_data_analytics: False
date_registered: 2019-11-01
date_connected: 2019-11-01
products: [O365]
available_for_data_analytics: True
comment: ''
data_quality:
device_completeness: 0
data_field_completeness: 0
timeliness: 0
consistency: 0
retention: 0
- data_source_name: Stackdriver logs
date_registered:
date_connected:
products: []
available_for_data_analytics: False
comment: ''
data_quality:
device_completeness: 0
data_field_completeness: 0
timeliness: 0
consistency: 0
retention: 0
device_completeness: 5
data_field_completeness: 4
timeliness: 5
consistency: 5
retention: 3
exceptions:
# Adding a technique ID below will result in removing that technique in the heat map (meaning not enough data source or quality is available for proper detection).
# Please note that the below is just an example, many more can exists.

View File

@ -1,7 +1,7 @@
version: 1.2
file_type: technique-administration
name: example
platform: Windows
platform: ['Windows', 'Azure', 'Azure AD', 'Office 365']
techniques:
# - Note that detection and visibility are independent from each other.
# Meaning that detection could be left blank and only have visibility filled in.