Mapping Methodology

Philosophy

Mappings are created by analyzing each in-scope sensor in relation to ATT&CK Data Sources. Events collected by sensors are at a different level of abstraction than ATT&CK objects, so they cannot always perfectly detect the adversary behaviors that they are mapped to. By completing the connection of conceptual data sources and components to concrete logs, sensors, and other security capabilities, cyber defenders have information to help identify relevant security data to collect for specific behaviors and environments.

Process

../_images/build_sensor_mappings.png

The Sensor Mappings to ATT&CK mapping methodology consists of the following steps: