Model Mapping Pages

Our model defines five levels of analytic robustness and three columns of event robustness. (See: Definitions) This section goes into deeper detail about how the levels and columns are defined and how to map observables onto our model.

Levels: Analytic Robustness Categories

There are five levels that represent how difficult it is for an adversary to evade an observable.

• Level 5: Core to Sub-Technique or Technique
• Level 4: Core to Some Implementations of (Sub-)Technique
• Level 3: Core to Pre-Existing Tools or Inside Boundary
• Level 2: Core to Adversary-Brought Tool or Outside Boundary
• Level 1: Ephemeral Values

Columns: Host-Based Event Robustness Columns

There are three columns that represent where event data originates within the OS.

• Column A: Application
• Column U: User-Mode
• Column K: Kernel-Mode

Columns: Network Traffic Robustness Columns

There are two columns that represent visibility into network traffic.

• Column P: Payload Visibility
• Column P: Header Visibility

For a quick search of an observable, please utilize the observables page.

• Observables Quick Search