Question regarding detection rules/scoring
jopbakker opened this issue · 1 comments
Hello,
I was wondering if you would be able to help/advise me on the proper use of the detection scoring/mapping part of the framework.
Currently I'm working on mapping all of our SIEM (use cases) and EDR/IDS rules into the framework, but i'm running into an issue where I have multiple rules that are applicable on the same Mitre technique. Normally this would not be an issue as I can use the "location of the detection(s)" field to record what rules are applicable, but I would like to score each detection rule separately. However this does not seem to be possible as I can only add a "system" once per Mitre technique.
Do you know if it is possible to record multiple detection rules on the same Mitre technique and still be able to record separate detection scores, or am I using the detection part wrong and should I use it some other way?
Hi @jopbakker
Maybe we can have a call to discuss this? Can you send me a DM on Twitter? My twitter handle is: @rubinatorz
Regards,
Ruben