I was doing the MITRE ATT&CK SOC Assessment course and had a question about the right assessment of techniques and sub-techniques.
The sub-technique that we want to assess is "Application or System Exploitation"(ID: T1499.004) its Data Sources and Data Components are the following.
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0029 | Network Traffic | Network Traffic Content |
| Network Traffic Flow | ||
| DS0013 | Sensor Health | Host Status |
Now let's say we should assess the detection confidence of these sub-techniques in our SOC infrastructure. We look at our tools and find out that we have a tool that is brilliant at Network Traffic detection (to be more exact, let's say it detects 100/100 cases). In addition to this, the application log works fine.
So far, everything is being received by our SIEM but the problem is that we don't have Sensor health at all. It is not implemented.
How do we assess the techniques and sub-techniques globally apart from the tool's working methods (static, behavior analysis, etc.) For example, I would assess this sub-technique as a "Some Detection" because we don't cover one entire Data Source but we have pretty good results in other Data Sources.
