During the Content Audit, Attack Detective maps detection rules and queries to the MITRE ATT&CK framework, providing a real-time assessment of users’ detection coverage alongside expert-driven, AI-enhanced recommendations to close gaps by remapping and optimizing the existing detection stack. This process will help you to improve threat visibility by auto-mapping your rules and queries to MITRE ATT&CK with AI, which does not leak your code.
Make sure you’re all set up to start running the Content Audit. Please refer to the setup requirements and recommendations.
The general Content Audit flow is as follows:
Detection content deployed in your SIEM is downloaded to the selected repo.
Our private AI model analyzes the downloaded content without leaking any data. The AI suggests MITRE ATT&CK techniques potentially covered by the content.
The user reviews the audit results.
If needed, the user updates the MITRE ATT&CK techniques the detection content is mapped to.
To set up and run Content Audit:
Select the corresponding item on the homepage or in the header navigation of Attack Detective.
Alternatively, you can start Content Audit by navigating to Audits > Start Audit > Content Audit.
To set up a Content Audit, first give it a name. You can keep the default name formed using the following pattern:
Audit {date and time}.Turn on the Share to Company toggle to make the audit available to users in your company. You can also enable this later by going to the Audits page, selecting the three dots on the corresponding audit record, and choosing Share to Company.
Set up a Content Audit via Data Plane
By selecting this content source option, a Content Audit is performed by first connecting to your Data Plane via API, pulling all supported content types from it, and then saving them to a chosen Repository for further analysis.
Select the Data Plane content source.
Select the Repository to save content to. Note that all content in the Repository will be analyzed during the Content Audit. Therefore, we recommend choosing an empty Repository because otherwise, the Content Audit results will be affected by the pre-existing content.
If Tenants are available for your organization, first select the Tenant to which the desired Data Plane belongs.
Select a Data Plane from the Data Plane dropdown list. Only one Data Plane can be added to a Content Audit.
Ensure your Data Plane connection works:
Connected – the Data Plane connection is OK, you can continue.
Disconnected – the connection is not operational. Check the error message to fix the issue and try again.
Click Next.
Wait until the Content Audit is finished.
Note:
Content Audit is currently supported only for cloud platforms, including Microsoft Sentinel, Elastic, Sumo Logic, and Splunk.
If you haven't configured a Data Plane for your SIEM, first configure it and then start the Content Audit use case again.
Set up a Content Audit Directly via Repository
Selecting this content source option allows bypassing the need for a Data Plane connection. It is recommended for organizations with strict security policies and data privacy limitations that prohibit any third-party access to their data.
Select the Repository content source.
Select a Custom Repository where the content you would like to analyze is stored.
From the Select Platforms dropdown, select the specific content type you would like to include in the Content Audit for analysis in this repo.
Note: You can currently select one platform and one content type for Content Audit.
Click Next.
Wait until the Content Audit is finished.
To learn how to view the Content Audit results, follow this guide.You can also view a list of your audits along with their details on the Audits page. Go to this guide to learn more.