rubinatorz
commented
1 year ago HI @Hackcidental
A great resource on mapping event ID's from your logs to ATT&CK data sources/components is OSSEM: https://github.com/OTRF/OSSEM-DM/blob/main/use-cases/mitre_attack/attack_events_mapping.csv
In OSSEM "An account failed to log on" is mapped to User Account Authentication data component.
"A Kerberos service ticket was granted" is not in OSSEM (yet). But I think the best mapping currently is Active Directory Credential Request.
Regards, Ruben
Hackcidental
Hi,
Thank you for this framework, my team and I are studying it, and we think it's a really great tool.
We're facing some issues where we have some types of events that we cannot map to the categories that are presents in the framework. How do you usually deal with those? Do you have some kind of guidance/mapping guide?
Two examples from the Windows Environment:
Thanks!