Mapping Methodology

Philosophy

Mappings are created by analyzing each in-scope sensor in relation to ATT&CK Data Sources. Events collected by sensors are at a different level of abstraction than ATT&CK objects, so they cannot always perfectly detect the adversary behaviors that they are mapped to. By completing the connection of conceptual data sources and components to concrete logs, sensors, and other security capabilities, cyber defenders have information to help identify relevant security data to collect for specific behaviors and environments.

Process

The Sensor Mappings to ATT&CK mapping methodology consists of the following steps:

• Step 1: Identify the Sensor’s Events: Identify the types of events the sensor can emit.

• Step 2: Definition Correlation: For each identified event, understand the security capabilities it provides.

• Step 3: Relationship Correlation: Identify the ATT&CK Data Sources mappable to event IDs.