[Feature] MITRE Tactics Scoring Adjustment

[mikedizzle]

Is your feature request related to a problem? Please describe. In our environment, the MITRE scoring doesn't provide enough value to keep it at its current scoring.

Describe the solution you'd like I would like the ability to either adjust the MITRE scoring somehow or to ignore the MITRE score. I don't really know what adjusting the scoring looks like but maybe something like if tactics > 2, add score.

Describe alternatives you've considered The maintainer has provided me with a very viable workaround, I would just like to see this in the module action choices. Feel free to decline this feature request.

[briandelmsft]

@mikedizzle in our next major release we are (in addition to many many other things) looking to change how the MITRE tactics are scored. Specifically, the current plan is to have different scoring based on the severity of the tactic... for example, perhaps a Reconnaissance would score in the 1-3 range but an Impact would score a 10-15. This way the score would better reflect the severity of the tactic and not just the quantity of tactics. If that was available, do you think you would still want to be able to turn it off?

[briandelmsft]

@mikedizzle

STAT v2 is now in preview and has an adjust MITRE risk scoring, tactics earlier in the killchain are weighted lower, tactics very late in the kill chain are weighted a bit higher. More information on v2 below

STAT v2 Preview is ready for you to try. This is a major move forward from previous versions of STAT, now using an Azure Functions backend and Logic Apps front end. The look and feel is the same as v1, but the improvements on the backend are substantial. This is also a complete rewrite of all of the backend functionality, so do be aware there may be some undiscovered bugs, though there are no known issues in this build. If you encounter any bugs, or even unexpected changes in functionality from previous version please open an issue no matter how small the issue may be.

This build includes the following new features:

• Backend of STAT is now using Azure Functions instead of Logic apps
• Support for User Assigned Managed Identities, Service Principal and Multi Tenant service principal authentication (in addition to existing system assigned managed id support)
• Support for the Sentinel Alert trigger (in addition to existing incident trigger)
• Ability to create a new Sentinel incident from an alert and automatically link the alert
• Additional performance and other minor improvements

The Preview deployment can be found only in the statv2_preview branch of this repo as well as supporting documentation. That includes documentation specific to multi-tenant/MSSP scenarios.

The main branch does not contain any information about v2 at this time, so ensure you select the correct branch.

[mikedizzle]

@briandelmsft - Thanks for this. I finally got V2 installed and will look to how the MITRE scoring fits with our workflow. I think I'll probably still want the ability to turn off but if it doesn't get developed, no big deal.

[briandelmsft]

@mikedizzle The same manipulation of setting AllTacticsCount to 0 before submitting to the scoring module will keep it out of the score in v2 as well