Define the data source and data component mapping
Use the Data Component Mapping if you are using the latest TAXII collections, and you want to maintain a relationship between the data sources, data components, and the various techniques. Map the data sources with the additional context of data components that provides an extra sublayer of context to data sources that enable you to understand adversary behaviors in MITRE-ATT&CK better.
始める前に
- sn_ti.admin, sn_si.admin: write, delete access
- sn_ti.read: read access
このタスクについて
Mapping the data sources and data components provides visibility into the data sources or components and the techniques that are relevant for your organization.
For example, if your organization focuses on 7 techniques, you may need 5 data sources and 10 data components to monitor these sources. Your evaluation of internal tools reveals that your organization doesn’t have two data sources and four data components. This mapping exercise provides visibility into the data sources, components, & techniques, their relevance to your organization, and to identify the gaps in coverage. You can thus focus your investment on the right data sources and alert sensors to detect and mitigate adversary threats.
The MITRE-ATT&CK framework contains an updated structure for the data sources - Data Source: Data Component. This new form of data source provides an extra context to the data sources. The data source object features the name of the data source as well as key details about the collected data (file, process, network traffic, and so on) and specific values or properties required to detect adversary behaviors.
The following illustration shows the MITRE-ATT&CK STIX™ structure representation for data sources and data components. You can see both the data sources and data components captured as custom STIX™ objects. The illustration shows that each data source contains one or more data components, and each data component detects one or more techniques.
You can continue using the Data Source Mapping if your MITRE-ATT&CK repository contains the old TAXII collections, and you’ve mapped your data sources to various techniques. However, use the Data Component Mapping if you’re using the latest TAXII collections, and you want to maintain a relationship between the data sources, data components, and the various techniques.
手順
-
Navigate to .
The following illustration shows the list of tactics, IDs, techniques along with the data sources and data components based on your collection updates.
Field Description Tactic Adversary’s objective or the reason for performing an action. ID Technique’s unique identity. Technique How an adversary achieves a tactical objective by performing an action. Data Source Data source that is associated with the technique. Data Component Data component that is associated with the data source. A data component can only have one parent data source. Data Component Revoked Identifies if the data component has been revoked in the MITRE-ATT&CK knowledge base. Detection Tool Tool that supplements the data source by detecting the techniques that are used. The detection tool is mapped with the alert sensor in SIR. Comment Description about the data source and data component mapping. Revoked Identifies if the data component to technique mapping is revoked by MITRE-ATT&CK. -
Follow these steps to add a data component.
- Navigate to .
- Click a technique that you want to modify the data source: data component information.
- Unlock Data Source: Data Component.
- Use the lookup list to select MITRE-ATT&CK data components.
- Lock Data Source: Data Component.
- Click Update.
In the following illustration, you see how to add data components.