Skip to content

Baseline for Detection Coverage (MITRE ATT&CK)

This document and associated checklist is intended to be used as a high-level self assessment against an organisations telemetry collection and detection analytics aligned to the MITRE ATT&CK Framework.

1. Shared Responsibility Model

For service providers see Supply Chain Risk Management (vendors should report detection coverage monthly and incidents within 24 hours). Otherwise ensure the Security Operations team is resourced to collect the below telemetry and manage detection, triage and response activities over them based on the organisations risk profile.

2. Data Sources

Below are the highest priority MITRE Data Sources to ensure telemetry and analytics are available for:

  1. DS0002 User Account - A profile representing a user, device, service, or application used to authenticate and access resources
  2. DS0025 Cloud Service - Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs
  3. DS0009 Process - Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures
  4. DS0017 Command - A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task
  5. DS0022 File - A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).
  6. DS0029 Network Traffic - Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)
  7. DS0015 Application Log - Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)

2.1 Telemetry Sensors

Based on these data sources telemetry sensor deployment can be prioritised as follows:

  1. Endpoints and Servers via XDR platforms
  2. Network via network analytics platforms
  3. Public / Private cloud via API or native platforms

2.2 XDR (Detection and Response) platforms

XDR platforms are regularly evaluated by MITRE Engenuity (ref: Turla (2023)). Please carefully consider Supply Chain Risk when selecting such platforms - constrain to independently assessed platforms hosted in Australia, such as Microsoft Defender XDR or Trend Vision One.

mitre eval summary

Self managed platforms like Wazuh (a SIEM platform that also inventories vulnerabilities, measures CIS Benchmarks and NIST 800-53 Compliance) are effective for internally capable teams or training purposes (below excellent vid by John Hammond):

3. Detection Assets

The below is a high level summary of assets and services from where security logs should typically be collected. Subsequent detection queries will refer to these assets.

  • Users - Identity Services (On Premise and SaaS), Application access
  • Mailboxes - Email mailboxes and associated inbound/outbound flows
  • Endpoints - Devices that users utilise to access organisational resources
  • Servers - Hypervisors, Servers, Container Platforms
  • Network Firewalls (Firewalls) - Network egress and internal network control points
  • Web Application Firewalls (WAFs) - Network ingress control points
  • Applications and Databases - Application logs and query logs from application runtimes (e.g. stack traces) and databases

4. Detection Checklist

The below checklist should be undertaken by the organisations security team to calculate the percentage coverage of assets (e.g. 8 / 10 Endpoints == 80% coverage) for a given log retention window (normally 12 months). This data is heavily used for threat hunting activities.

4.1. Excellent return on investment

These are available as out of the box integrations on fully SaaS platforms such as Microsoft Sentinel connected to Microsoft 365 Defender via Microsoft XDR. On-Prem sign-ins depending on the Defender for Identity require sensor deployment on all Domain Controllers (minimum version Windows Server 2012).

  • Users - Query a IPv4Address, IPv6Address, Protocol or User-Agent (HTTPRequestExt) across all Network Traffic for HTTPS sign ins.
  • Users - Query a IPv4Address, IPv6Address or Protocol across all Network Traffic for On-Prem sign ins.
  • Mailboxes - Email events and URL / attachment analysis using mail server Application Logs.
    • E.g. Defender for Office 365
    • Query a DomainName or EmailAddress across all emails.
    • Query a Subject (EmailMessage) across all emails.
    • Query a DomainName or URL across all links inside emails.
    • Query a SHA256 Hash (File) across all attachments inside emails.

4.2. Very high return on investment

These are available as integrations with some deployment requirements on Windows, macOs and Linux endpoints using Microsoft Defender for Endpoint.

4.3. High return on investment

Agent based network protection is relatively straightforward to ingest from application servers. High volume network traffic should be reviewed prior to ingestion to understand the volume of events and to avoid loading large quantities of low value events (such as Content Delivery Networks / File Sharing / Media Streaming logs).

5. Detection Analytics

The security tools collecting telemetry should be capable of running both built-in and custom analytics on a regular basis. Some repositories and tools to build high quality detection analytics are below:

  • Sigma - Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.
  • Microsoft Sentinel Solutions - combinations of data connectors, workbooks, analytic rules, playbooks, hunting queries, parsers, watchlists, and more for Microsoft Sentinel.
  • reprise99 Sentinel Queries - Some tips, tricks and examples for using KQL for Microsoft Sentinel.
  • Sentinel custom content CI/CD - How to create and manage connections between Microsoft Sentinel and GitHub or Azure DevOps repositories. Managing your content in an external repository allows you to make updates to that content outside of Microsoft Sentinel, and have it automatically deployed to your workspaces.

5.1 Improving Microsoft Sentinel Detection Coverage

Under Review

The WA SOC's older detection and automation packs are currently being converted into an external content repository to enable better change management with git.

To improve detection coverage within Microsoft Sentinel, please follow the WA SOC telemetry re-ingestion and incident synchronisation guidance.

5.2 Sigma rule converter

The below sigmatron utility (open in new window) is built with the latest Sigma rules and provides a convenient interface to search and convert rules to several SIEM formats and query languages.

6. Sentinel Telemetry Gap Analysis (KQL)

The following listed queries help identify missing telemetry for endpoints in Microsoft Sentinel. The chart below depicts most seen observables per MITRE ATT&CK® (source: OSSEM project)

image

6.1 Process Creation

The following are common log sources for Process Creation events and relating kql queries to identify number of endpoints providing these observables.

Log source KQL
Audit Policy (SecurityEvent) SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4688 | summarize count_distinct(Computer)
Sysmon (Event) Event | where TimeGenerated > ago(7d) | where Source == "Microsoft-Windows-Sysmon" | where EventID == 1 | summarize count_distinct(Computer)
Defender (DeviceProcessEvents) DeviceProcessEvents | where TimeGenerated > ago(7d) | summarize count_distinct(DeviceName)
AzureAD (VMProcess) VMProcess | where TimeGenerated > ago(7d) | where isnotempty(ExecutableName) | summarize count_distinct(Computer)

6.2 Process Command Line

The following kql queries will provide number of endpoints with Command Line logging enabled.

Log type KQL
Audit Policy (SecurityEvent) SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4688 | where isnotempty(CommandLine) | summarize count_distinct(Computer)
AzureAD: VMProcess VMProcess | where TimeGenerated > ago(7d) | where isnotempty(CommandLine) |summarize count_distinct(Computer)
DeviceProcessEvents DeviceProcessEvents | where TimeGenerated > ago(7d) | where isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine) | summarize count_distinct(DeviceName)

6.3 Parent Process

Log type KQL
Audit Policy (SecurityEvent) SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4688 | where isnotempty(ParentProcessName) | summarize count_distinct(Computer)

6.4 Microsoft Defender Device Logs

Connect Microsoft 365 Defender to Micrososft Sentinel

Techniques: Microsoft Defender for Endpoint | Microsoft Security

Log type KQL
Process creation and related events DeviceProcessEvents | where TimeGenerated > ago(7d) | summarize count_distinct(DeviceName)
Network connection and related events DeviceNetworkEvents | where TimeGenerated > ago(7d) | summarize count_distinct(DeviceName)
Parent Process DeviceProcessEvents | where TimeGenerated > ago(7d) | where isnotempty(InitiatingProcessParentFileName) | summarize count_distinct(DeviceName)
Named Pipes DeviceEvents | where ActionType == "NamedPipeEvent" | where TimeGenerated > ago(7d) | summarize count_distinct(DeviceName)
File creation, modification, and other file system events DeviceFileEvents | where TimeGenerated > ago(7d) | summarize count_distinct(DeviceName)
Creation and modification of registry entries DeviceRegistryEvents | where TimeGenerated > ago(7d) | summarize count_distinct(DeviceName)
DLL loading events DeviceImageLoadEvents | where TimeGenerated > ago(7d) | summarize count_distinct(DeviceName)

6.5 Microsoft Defender Office 365 Logs Monitoring

Connect Microsoft 365 Defender to Micrososft Sentinel

Log type KQL
Email Events EmailEvents | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)
Email Attachment Info EmailAttachmentInfo | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)
Email Url Info EmailUrlInfo | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)
Email Post Delivery Events EmailPostDeliveryEvents | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)

6.6 Important activities

The table presented below provides a comprehensive list of significant Event IDs that can potentially signify noteworthy activities associated with malicious actions.

Type KQL
Local Authentication SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4624 | summarize count_distinct(Computer)
DC Authentication SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4776 | summarize count_distinct(Computer)
Group Enumeration SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4799 | summarize count_distinct(Computer)
Kerberos SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4769 | summarize count_distinct(Computer)
Certificate Usage (Kerb) SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4768 | summarize count_distinct(Computer)
Replication SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4662 | summarize count_distinct(Computer)
New Scheduled Task SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4698 | summarize count_distinct(Computer)
Powershell Execution SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4104 | summarize count_distinct(Computer)
Registry Value Modification SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4657 | summarize count_distinct(Computer)
RunAs SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4648 | summarize count_distinct(Computer)
Windows Firewall Rule Deletion SecurityEvent | where TimeGenerated > ago(7d) | where EventID == 4948 | summarize count_distinct(Computer)