Model Mapping Pages

Our model defines five levels of analytic robustness and three columns of event robustness. (See: Definitions) This section goes into deeper detail about how the levels and columns are defined and how to map observables onto our model.

Levels: Analytic Robustness Categories

There are five levels that represent how difficult it is for an adversary to evade an observable.

• Level 5: Core to Sub-Technique or Technique
• Level 4: Core to Some Implementations of (Sub-)Technique
• Level 3: Core to Pre-Existing Tools
• Level 2: Core to Adversary-Brought Tool
• Level 1: Ephemeral Values

Columns: Event Robustness Categories

There are three columns that represent where event data originates within the OS.

• Column A: Application
• Column U: User-Mode
• Column K: Kernel-Mode

For a quick search of an observable, please utilize the observables page.

• Observables Quick Search