thebleucheese
commented
4 years ago Thanks for the input!
I think this is already on our radar to be discussed internally and verify that it works and is desirable behavior - just to clarify as an example: When you're emulating an adversary, that adversary may run a command like ipconfig with certain arguments. It's probably too noisy to alert on ipconfig commands in your log aggregation tool / SIEM, but that command is part of that adversary's arsenal and may serve to inform the next steps for Red Team operators in an emulation campaign. In this case, you wouldn't want to record an outcome for the Test Case as there's no detection expected (No Detection Expected may be a good Outcome label for this).
Does this capture the intent?
codeEmitter
SRAPSpencer
Is it possible to add a "Not Applicable" detection outcome in the blue team details for a test case? I sometimes create test cases that are never meant to be detectable, but add fidelity and important detail to the escalation path for a particular campaign. In this case, none of the options (TBD, Blocked, Detected, NotDetected) make the most sense. For now, we're able to work around it by setting it the option to TBD with no expected detection layer. I'm curious to know if there is intent behind the lack of this type of option, or if this would be something to add to keep the assessment metrics from becoming skewed.