690 lines
19 KiB
YAML
690 lines
19 KiB
YAML
%YAML 1.2
|
|
---
|
|
version: 1.0
|
|
file_type: data-source-administration
|
|
name: endpoints-example
|
|
platform: ['Windows', 'Azure', 'Azure AD', 'Office 365']
|
|
# The list only contains data sources that are applicable to the above platforms. For more info see:
|
|
# - https://github.com/rabobank-cdc/DeTTECT/wiki/Data-sources-per-platform
|
|
data_sources:
|
|
# A data source is treated as not available when all dimensions of the data quality have a score of 0.
|
|
# If desired you are free to add any key-value pairs.
|
|
- data_source_name: Process monitoring
|
|
date_registered: 2019-03-01
|
|
date_connected: 2017-01-01
|
|
products: [Windows event log]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 5
|
|
- data_source_name: File monitoring
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Process command-line parameters
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: API monitoring
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Process use of network
|
|
date_registered: 2019-07-25
|
|
date_connected: 2019-07-25
|
|
products: [Sysmon]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 5
|
|
- data_source_name: Windows Registry
|
|
date_registered: 2019-03-01
|
|
date_connected: 2017-02-01
|
|
products: [Windows event log]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 5
|
|
- data_source_name: Packet capture
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Authentication logs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Netflow/Enclave netflow
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Windows event logs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Binary file metadata
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Network protocol analysis
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: DLL monitoring
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Loaded DLLs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: System calls
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Malware reverse engineering
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: SSL/TLS inspection
|
|
date_registered: 2019-01-10
|
|
date_connected: 2000-01-01
|
|
products: [Proxy Product]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 5
|
|
- data_source_name: Anti-virus
|
|
date_registered: 2019-01-10
|
|
date_connected: 2000-01-01
|
|
products: [AV Product]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 4
|
|
data_field_completeness: 2
|
|
timeliness: 3
|
|
consistency: 5
|
|
retention: 5
|
|
- data_source_name: Network intrusion detection system
|
|
date_registered: 2019-01-10
|
|
date_connected: 2016-01-01
|
|
products: [NIDS]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 4
|
|
data_field_completeness: 3
|
|
timeliness: 3
|
|
consistency: 4
|
|
retention: 4
|
|
- data_source_name: Data loss prevention
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Application logs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Email gateway
|
|
date_registered: 2019-01-10
|
|
date_connected: 2000-01-01
|
|
products: [Email Gateway Product]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 4
|
|
data_field_completeness: 3
|
|
timeliness: 3
|
|
consistency: 5
|
|
retention: 3
|
|
- data_source_name: Network device logs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Web proxy
|
|
date_registered: 2019-01-10
|
|
date_connected: 2000-01-01
|
|
products: [Proxy Product]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 5
|
|
- data_source_name: Windows Error Reporting
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Kernel drivers
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: User interface
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Host network interface
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Third-party application logs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Services
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Web logs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Detonation chamber
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Mail server
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Environment variable
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: MBR
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: BIOS
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Web application firewall logs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Asset management
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: DHCP
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: True
|
|
comment: 'At the time of writing: unknown data source within ATT&CK'
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 5
|
|
- data_source_name: DNS records
|
|
date_registered: 2019-03-01
|
|
date_connected: 2017-04-01
|
|
products: [Windows DNS server]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 5
|
|
- data_source_name: Browser extensions
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Access tokens
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Digital certificate logs
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Disk forensics
|
|
date_registered: 2019-01-10
|
|
date_connected: 2019-01-01
|
|
products: [Manual, Commercial tool]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 1
|
|
consistency: 5
|
|
retention: 0
|
|
- data_source_name: Component firmware
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: WMI Objects
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: VBR
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Named Pipes
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: Sensor health and status
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: EFI
|
|
date_registered:
|
|
date_connected:
|
|
products: []
|
|
available_for_data_analytics: False
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 0
|
|
data_field_completeness: 0
|
|
timeliness: 0
|
|
consistency: 0
|
|
retention: 0
|
|
- data_source_name: PowerShell logs
|
|
date_registered: 2019-03-01
|
|
date_connected: 2018-05-01
|
|
products: [Windows event log]
|
|
available_for_data_analytics: True
|
|
comment: 'Script block logging is enabled'
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 5
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 4
|
|
- data_source_name: Azure OS logs
|
|
date_registered: 2019-11-01
|
|
date_connected: 2019-11-01
|
|
products: [Log Analytics agent]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 4
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 3
|
|
- data_source_name: Azure activity logs
|
|
date_registered: 2019-11-01
|
|
date_connected: 2019-11-01
|
|
products: [Azure]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 4
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 3
|
|
- data_source_name: Office 365 account logs
|
|
date_registered: 2019-11-01
|
|
date_connected: 2019-11-01
|
|
products: [O365]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 4
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 3
|
|
- data_source_name: Office 365 audit logs
|
|
date_registered: 2019-11-01
|
|
date_connected: 2019-11-01
|
|
products: [O365]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 3
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 3
|
|
- data_source_name: Office 365 trace logs
|
|
date_registered: 2019-11-01
|
|
date_connected: 2019-11-01
|
|
products: [O365]
|
|
available_for_data_analytics: True
|
|
comment: ''
|
|
data_quality:
|
|
device_completeness: 5
|
|
data_field_completeness: 4
|
|
timeliness: 5
|
|
consistency: 5
|
|
retention: 3
|
|
exceptions:
|
|
# Adding a technique ID below will result in removing that technique in the heat map (meaning not enough data source or quality is available for proper detection).
|
|
# Please note that the below is just an example, many more can exists.
|
|
# Filling in the key-value pair name is optional.
|
|
- technique_id: T1130
|
|
name: Install Root Certificate
|