Question: Should x_mitre_detection become types like mitigations?

[Radu3000]

One can see the benefits for Mitigations to be come a type. The same would apply to x_mitre_detection - which is right now a literal string.

Thanks, Radu

[isaisabel]

Hi @Radu3000,

I'm not sure if the detection note would warrant a separate STIX object. Mitigations worked because a single mitigation applies across multiple techniques. Detection notes are (at present) reasonably specific to their technique, so it might not make sense to divorce them in that sense. Doing so would require a pretty major refactor of how detection is laid out in the data (having a general description in the detection object, and then specific applications in the relationships with techniques) and I'm not sure if that is something the ATT&CK team would want to do. As far as I know there are no plans to make this change at present.

[Radu3000]

@isaisabel

Just to make sure there are some attack patterns like Data Encoding and Data Obfuscation that share the same exact x_mitre_detection notes. Others are very close but not exact match. And you are right majority of them use specific detection. Yes "doing so would require a pretty major refactor" - but there are also benefits - case and point mitigation.