Data Audit enables you to review which log sources have been automatically identified in your Data Planes and address threat detection blind spots with an actionable plan generated by mapping the data collected in your SIEM to MITRE ATT&CK. Running a Data Audit improves threat visibility and optimizes SIEM usage by filtering irrelevant or noisy data.
Before running the Data Audit, make sure you are all set up. Please refer to the initial requirements and recommendations described in this guide.
The general Data Audit flow is as follows:
Queries are sent to your Data Plane (SIEM, EDR, or Data Lake) via API to collect the aggregated statistics on the number of accounts and assets.
Log sources mapped to MITRE ATT&CK to identify potential security gaps.
Users review the Data Audit results to check the list of log sources, existing visibility into threats as per ATT&CK, and current blind spots in their environment.
Users can repeat Data Audit once again after implementing the blind spot recommendations.
Note: The Data Audit period covers 90 days, which is recommended to analyze all your organization’s log sources. However, depending on your environment's capacity, this period can be changed – if you have a massive amount of data due to a large-scale instance of your SIEM, you can choose a shorter Data Audit period.
To set up and run Data Audit:
Select the corresponding item on the homepage or in the header navigation of Attack Detective.
Alternatively, you can start Data Audit by navigating to Audits > Start Audit > Data Audit.
Name your Data Audit. You can keep the default name formed after the following pattern:
Audit {date and time}.Turn on the Share to Company toggle to make the audit available to users in your company. You can also enable this later by going to the Audits page, selecting the three dots on the corresponding audit record, and choosing Share to Company.
Select Data Plane Type.
Cloud or On Premise – Select this option to connect Attack Detective to your cloud or on-premise environment. This environment can be accessed directly via API or the SOC Prime Attack Detective App.
Isolated – Select this option for air-gapped environments (currently supported with Splunk). To generate the Data Audit file, install the SOC Prime Attack Detective App for Splunk from Splunkbase and then export the Data Audit results as JSON from the socprime index in your Splunk instance.
Select the Audit Period. The default Full period for Data Audit is 90 days. Alternatively, you can choose the following options depending on your environment capacity, the amount of data, and current security needs:
Test (24 hours)
Short (30 days)
Custom
Select one or multiple Tenants that hold the Data Planes you're going to scan during the Data Audit. The selected Tenants define what Data Planes are available for selection at the next step.
Any Data Planes that haven't been added to a Tenant, will be displayed as belonging to the default None tenant.
If the Tenants feature is not available to your organization, the Tenants dropdown is not displayed and the Data Planes dropdown includes all your Data Planes.
Select the Data Plane. Please note that you can select only one Data Plane to run a single Data Audit.
Ensure your Data Plane connection works:
Connected – the Data Plane connection is OK, you can continue.
Disconnected – the connection is not operational. Check the error message to fix the issue and try again.
Once configured, click Run Data Audit.
Wait until the Data Audit is finished.
Note: The Data Audit can take some time. While the audit is in progress, you can leave the page and use Attack Detective for other procedures and check the Data Audit results later once it’s finished.
To learn how to view the Data Audit results, follow this guide.You can also view a list of your audits along with their details on the Audits page. Go to this guide to learn more.