Guidance on how to use system's feature
jjjjjjjj987 opened this issue · 2 comments
Greetings!
Congrats on all the work with DeTTECT! It's really an awesome project.
I'm starting to use it and I'm struggling with systems types. You already provided some examples but I would like some guidance about how to best specify, for instance, firewalls and antivirus.
Currently I'm segregating by server and workstation. Should I add an EDR system type? Should I consider firewalls as a network platform type on cloud systems or add a seperate system for it?
Any help will be deeply appreciated.
hi @jjjjjjjj987
Segregation on server and workstation is usually a good choice. That's because you often have different data sources on those systems. For servers you might have full Windows event logs, while for endpoints you might not have that for some reason (like the bunch of traffic it generates).
I would not choose EDR as "system type", because EDR is a data source itself. In ATT&CK you will not find EDR as data source, but it's divided into data sources you'll find within your EDR like "Process Creation" and "Process: OS API Execution" etc.
Cross-system components like firewalls, proxies and e-mail are possibly applicable to both workstations and servers, so in that case you can choose "all" as applicable-to value for your data source.
Hey @rubinatorz thanks a lot! These tips were really usefull.
Have a good one!