Question: How to handle non-mappable types of event?

Question

Question: How to handle non-mappable types of event?

Hackcidental opened this issue a year ago · 2 comments

Hi,

Thank you for this framework, my team and I are studying it, and we think it's a really great tool.

We're facing some issues where we have some types of events that we cannot map to the categories that are presents in the framework.
How do you usually deal with those? Do you have some kind of guidance/mapping guide?

Two examples from the Windows Environment:

An account failed to log on
A Kerberos service ticket was granted

Thanks!

Answer 1 · 2023-05-09T14:20:20.000Z

HI @Hackcidental

A great resource on mapping event ID's from your logs to ATT&CK data sources/components is OSSEM:
https://github.com/OTRF/OSSEM-DM/blob/main/use-cases/mitre_attack/attack_events_mapping.csv

In OSSEM "An account failed to log on" is mapped to User Account Authentication data component.

"A Kerberos service ticket was granted" is not in OSSEM (yet). But I think the best mapping currently is Active Directory Credential Request.

Regards,
Ruben

Answer 2 · 2023-05-10T07:04:39.000Z

Hi @rubinatorz,

Thank you for the great tip, we will look into the OSSEM mapping.

Best regards,
Matteo