Caveats

These scores will depict the potential value of the data source in finding more information about the technique, not everything is useful for detection rules. Some will be more useful for hunting or even only in Incident response.

This assessment will not be all covering, not will it be super exact on all levels. I’ve made the choice in favor of usability to not add weights to each individual event per technique, this would make it unusable for most people.

The Excel

Opening the file will take you to the DataSourceEvents worksheet. This is the most important page of the document in terms of scoring and maintaining.

The sheet contains the DataSource and Events, of which you can add as much as you like. Next to that are three subscores for Completeness, Timeliness, and Availability, which result in the score for that Event.

Scoring

Scoring your events is relatively straight forward, the legend is also included in the document on the RatingLegend page. I’ve tried to make this as simple as possible by using a 0–5 system. The total score is based on (2 * Completeness + Timeliness + 2 * Availability / 5) My rationale being the timeliness is less crucial than the other two, but should obviously be accounted for in the creation of hunts or detection rules.

Weights

Since not every data source is as important to each individual technique I decided to rate them by assigning a weight to them on a scale of 0–100, where the total should sum up to 100. This workbook can be edited, the weighing is based on my knowledge and experience. Pull requests are always welcome with improvements.

Knowledge base

I’ve been keeping track of a lot of logs, most of the relevant logs I’ve added to a workbook for easy reference;

Download

git clone https://github.com/olafhartong/ATTACKdatamap.git

Use

More details in a blog post here

Copyright (C) 2019 olafhartong