MITRE ATT&CK · Enterprise

28/35 technique kapsama — kanıtla.

ShamashAi'ın detect ettiği MITRE ATT&CK Enterprise technique'leri tek matriste. Yeşil = native (parser + risk + korelasyon ile çıkarılıyor). Sarı = raw log yakalanıyor + alert rule preset hazır. Mavi = roadmap'te. Boş = kapsam dışı.

Yeni:Her ATT&CK technique chip'i artık ürün panelinde tıklanır — events listesi, event detail ve alert-rule formu seçilen match_event_type için ilgili teknik chip'lerini gösterir ve attack.mitre.org'a yönlendirir.

Native
17
Partial
11
Roadmap
4
Tactics
14
TA0043
Reconnaissance
1/2 native
T1595Native
Active Scanning
PORT_SCAN_DETECT · firewall syslog
T1592Partial
Gather Victim Host Info
DNS lookup probes
TA0042
Resource Development
0/1 native
T1583
Acquire Infrastructure
TA0001
Initial Access
4/5 native
T1110Native
Brute Force
BRUTE_FORCE_DETECTED + correlation engine
T1190Native
Exploit Public-Facing App
IPS_DETECT (Fortinet) + WAF logs
T1133Native
External Remote Services
VPN_LOGIN_FAILED · M365_SIGNIN_FAILURE
T1078Native
Valid Accounts
BEHAVIORAL_ANOMALY · baseline drift
T1566Partial
Phishing
M365 Defender · Mail.Read alerts
TA0002
Execution
0/2 native
T1059Partial
Command & Scripting Interpreter
Win 4688 process audit (WinRM pull)
T1569Roadmap
System Services
TA0003
Persistence
2/3 native
T1136Native
Create Account
AD 4720 · user_created
T1098Native
Account Manipulation
AD 4728/4732 · group add
T1547Roadmap
Boot/Logon Autostart
TA0004
Privilege Escalation
1/2 native
T1078Native
Valid Accounts (Privileged)
admin_user × 1.5 risk multiplier
T1068Partial
Exploitation for Priv Esc
IPS + raw syslog match
TA0005
Defense Evasion
2/3 native
T1562Native
Impair Defenses
audit_log + visibility-gaps · no_logs_24h
T1070Native
Indicator Removal
event_clear · Win 1102 detected
T1027
Obfuscated Files
TA0006
Credential Access
2/4 native
T1110.001Native
Password Guessing
BRUTE_FORCE_DETECTED
T1110.003Native
Password Spraying
distinct_users ≥ 3 in window
T1003Partial
OS Credential Dumping
Win 4624 type-9 anomaly
T1555
Credentials from Password Stores
TA0007
Discovery
1/2 native
T1018Native
Remote System Discovery
PORT_SCAN_DETECT · NETWORK_PROBE
T1087Partial
Account Discovery
AD 4798/4799
TA0008
Lateral Movement
1/2 native
T1021Native
Remote Services (RDP/SMB)
AUTH_FAIL_RDP · BRUTE_FORCE_DETECTED
T1570Roadmap
Lateral Tool Transfer
TA0009
Collection
0/2 native
T1213Partial
Data from Information Repos
SQL audit, M365 audit
T1530Roadmap
Cloud Storage Object
TA0011
Command & Control
2/2 native
T1071Native
Application Layer Protocol
KNOWN_BAD_IP · threat-intel match
T1090Native
Proxy
Tor exit node detect
TA0010
Exfiltration
0/2 native
T1041Partial
Exfil over C2
Fortigate flow stats + DENY policies
T1567Partial
Exfil over Web Service
WAF + DNS lookups
TA0040
Impact
1/3 native
T1486Partial
Data Encrypted for Impact
BACKUP_FAILED + EDR syslog match
T1485Partial
Data Destruction
T1498Native
Network Denial of Service
Fortigate DoS sensor logs

Native

Parser → kanonik event → risk multiplier → korelasyon zinciri tamamı kurulu. Tespit deterministik, "Why this score" listesi audit-edilir.

Partial

Raw syslog yakalanıyor + ilgili alert rule preset hazır. Customer kuralı enable ettiğinde detect tetiklenir; default'ta sessiz.

Roadmap

v1.5 / v2.0 yol haritasında. Müşteri özellikle istedğinde pilot kapsamında early-access verilebilir.

ATT&CK kapsama detayı için

Pilot SOW kapsamında customer'a özel ATT&CK mapping raporu hazırlanır — hangi technique hangi event_type / alert rule / runbook tarafından karşılanıyor, kanıt evidence pack içinde.