Define the data source and detection tool mapping

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Define the data source and detection tool mapping for MITRE-ATT&CK tactics and techniques. The data source mapping provides you with insight into the relevance and availability of the data sources and the detection tools for monitoring the data sources in your environment.

    Before you begin

    Role required:
    • sn_ti.admin, sn_si.admin: write, delete access
    • sn_ti.read: read access

    About this task

    You can identify the data sources and the detection tools that your organization needs to detect the techniques effectively.

    For example, if your organization focuses on 5 techniques, you may need 10 data sources and 10 detection tools to monitor those sources. Let's say that you identify that your organization does not have two data sources and five detection tools. This exercise gives you visibility into the data sources, their relevance to your organization, and to identify gaps in the coverage. You can also focus on enhancing your environment with the right data sources and detection tools.

    All the active tactics, techniques, ID, and data sources are automatically populated based on your TAXII profile

    Procedure

    1. Navigate to All > Threat Intelligence > MITRE ATT&CK Administration > Data Source Mapping.

      The following illustration shows the list of tactics, techniques, and their IDs that have been populated based on your collection updates.

      Map data sources.

      Field Description
      Tactic Adversary’s objective or the reason for performing an action.
      ID Technique’s unique identity.
      Technique How an adversary achieves a tactical objective by performing an action.
      Data Source Data source that is associated with the technique.
      Data Source Revoked Data source is revoked if set to true, however the data source mapping is still retained.

      If the data source value is not found in MITRE, then the Data Source Revoked value is automatically marked as true. The data source mapping for a record is revoked if the technique and data source relationships are missing from the updated MITRE data.

      Default: false
      Data Source Available Availability of the data source.
      Detection Tool Tool that supplements the data source by detecting the techniques that are used. The detection tool is mapped with the alert sensor in SIR.
      Revoked The data source mapping for a record is revoked if the technique and data source relationships are missing from the updated MITRE data.

      Default: false
    2. Review the listed data sources and modify the value in the Data Source Available field based on your environment.
    3. Note:
      You cannot edit this entry from the list view.
      In the Detection Tool field, do the following steps:
      1. Click the information icon, and click Open Record.
      2. Unlock Detection Tool entry.
      3. Use the lookup list to select a detection tool. You can multi-select detection tools.
      4. Click Update.

      In the following illustration, multiple detection tools are added to monitor the data source.

      How to map the detection tool.