What are active signals?

Hi,

As per the Mitre Attack documentThe green bar next to the technique indicates that there are workbooks with active signals’. Can someone help me with the term active signals that is mentioned in the document?

Thanks

Hi ping_intelligence,
Thanks for your question.

There is no difference between Active signal and Signal. The Green bar in a TTP indicates the Log information required for that TTP to get detected is available in your DNIF setup and also the Detection rule is available in the form of Workbook.

A Blue bar in TTP indicates the logs are not available but the Detection rule is present. As soon as data is made available for any TTP (this statement is corrected), the bar turns Green.

The bigger purpose of this colour coding is to help DNIF clients visualize, how many Log sources they need to integrate with DNIF in order to take advantage of TTP specific detection rules that are shipped out of the box with DNIF. More number of Blue TTP signifies, DNIF has provide its Users the capability to detect the attack but DNIF Adapter is not receiving the right type of data. SOC Team is advised to increase their monitoring terrain by increasing the number of Green TTPs.

For more documentation kindly visit this

Regards,
Bodhi

Hey @BodhiSaar - this seems a bit confusing. Just to clarify - if the rule is already present and logs are not present for the TTP to work its marked BLUE. However, it is marked GREEN when rule is written again? or if rules and logs both are present?

Can the color schemes be simplified as universal Red Amber Green (RAG)? it will be easier to recall and reference I guess…just a suggestion…

1 Like

GREEN means Log and Rule both are present. Blue means only Rule is present. BLUE turns GREEN as soon as the Logs start flowing in. My bad, it is not the detection rule, but the presence of Log that makes a difference, because detection rules are present in both cases.

We are working on introducing few more color codes to bring more clarity in the visual representation. So there will more than 3 coding schemes, however thank you for your suggestion. We really appreciate this feedback.

Regards,
Bodhi

1 Like