Closed Hackcidental closed 1 year ago
HI @Hackcidental
A great resource on mapping event ID's from your logs to ATT&CK data sources/components is OSSEM: https://github.com/OTRF/OSSEM-DM/blob/main/use-cases/mitre_attack/attack_events_mapping.csv
In OSSEM "An account failed to log on" is mapped to User Account Authentication data component.
"A Kerberos service ticket was granted" is not in OSSEM (yet). But I think the best mapping currently is Active Directory Credential Request.
Regards, Ruben
Hi @rubinatorz,
Thank you for the great tip, we will look into the OSSEM mapping.
Best regards, Matteo
Hi,
Thank you for this framework, my team and I are studying it, and we think it's a really great tool.
We're facing some issues where we have some types of events that we cannot map to the categories that are presents in the framework. How do you usually deal with those? Do you have some kind of guidance/mapping guide?
Two examples from the Windows Environment:
Thanks!