{"framework":"csa-ccm-4","framework_label":"CSA CCM v4","controls":[{"control_id":"AIS-02","title":"Application Security Baseline Requirements","family":"AIS","techniques":[{"id":"T1496.004","name":"Cloud Service Hijacking","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1671","name":"Cloud Application Integration","detectable":false},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":11,"detectable_count":6,"coverage_pct":54,"has_mapping":true,"is_enhancement":false},{"control_id":"AIS-04","title":"Secure Application Design and Development","family":"AIS","techniques":[{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"}],"technique_count":11,"detectable_count":10,"coverage_pct":90,"has_mapping":true,"is_enhancement":false},{"control_id":"AIS-05","title":"Automated Application Security Testing","family":"AIS","techniques":[{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1134","name":"Access Token Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"},{"id":"T1505.003","name":"Web Shell","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":19,"detectable_count":16,"coverage_pct":84,"has_mapping":true,"is_enhancement":false},{"control_id":"AIS-06","title":"Automated Secure Application Deployment","family":"AIS","techniques":[{"id":"T1535","name":"Unused/Unsupported Cloud Regions","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1671","name":"Cloud Application Integration","detectable":false},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1496","name":"Resource Hijacking","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"}],"technique_count":15,"detectable_count":9,"coverage_pct":60,"has_mapping":true,"is_enhancement":false},{"control_id":"AIS-07","title":"Application Vulnerability Remediation","family":"AIS","techniques":[{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"}],"technique_count":5,"detectable_count":5,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"AIS-08","title":"API Security","family":"AIS","techniques":[{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"}],"technique_count":3,"detectable_count":3,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"BCR-08","title":"Backup","family":"BCR","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1561","name":"Disk Wipe","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1561.001","name":"Disk Content Wipe","detectable":true,"detections":"Sigma"},{"id":"T1561.002","name":"Disk Structure Wipe","detectable":true,"detections":"Sigma"}],"technique_count":10,"detectable_count":6,"coverage_pct":60,"has_mapping":true,"is_enhancement":false},{"control_id":"CEK-03","title":"Data Encryption","family":"CEK","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1669","name":"Wi-Fi Networks","detectable":false},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":14,"detectable_count":11,"coverage_pct":78,"has_mapping":true,"is_enhancement":false},{"control_id":"DCS-09","title":"Equipment Identification","family":"DCS","techniques":[{"id":"T1219.003","name":"Remote Access Hardware","detectable":false},{"id":"T1599","name":"Network Boundary Bridging","detectable":false},{"id":"T1200","name":"Hardware Additions","detectable":true,"detections":"Sigma"},{"id":"T1599.001","name":"Network Address Translation Traversal","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":2,"coverage_pct":50,"has_mapping":true,"is_enhancement":false},{"control_id":"DCS-15","title":"Secure Utilities","family":"DCS","techniques":[{"id":"T1496.002","name":"Bandwidth Hijacking","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1496","name":"Resource Hijacking","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1529","name":"System Shutdown/Reboot","detectable":true,"detections":"Sigma"}],"technique_count":8,"detectable_count":4,"coverage_pct":50,"has_mapping":true,"is_enhancement":false},{"control_id":"DCS-18","title":"Datacenter Operations Resilience","family":"DCS","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1496.001","name":"Compute Hijacking","detectable":false},{"id":"T1496.002","name":"Bandwidth Hijacking","detectable":false},{"id":"T1496.004","name":"Cloud Service Hijacking","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1489","name":"Service Stop","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1496","name":"Resource Hijacking","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1529","name":"System Shutdown/Reboot","detectable":true,"detections":"Sigma"}],"technique_count":16,"detectable_count":7,"coverage_pct":43,"has_mapping":true,"is_enhancement":false},{"control_id":"DSP-02","title":"Secure Disposal","family":"DCS","techniques":[{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"}],"technique_count":2,"detectable_count":1,"coverage_pct":50,"has_mapping":true,"is_enhancement":false},{"control_id":"DSP-04","title":"Data Classification","family":"DCS","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1020","name":"Automated Exfiltration","detectable":true,"detections":"Sigma, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":13,"detectable_count":8,"coverage_pct":61,"has_mapping":true,"is_enhancement":false},{"control_id":"DSP-07","title":"Data Protection by Design and Default","family":"DSP","techniques":[{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1559","name":"Inter-Process Communication","detectable":true,"detections":"CAR"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"}],"technique_count":9,"detectable_count":9,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"DSP-08","title":"Data Privacy by Design and Default","family":"DSP","techniques":[{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":10,"detectable_count":7,"coverage_pct":70,"has_mapping":true,"is_enhancement":false},{"control_id":"DSP-10","title":"Sensitive Data Transfer","family":"DSP","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1114.002","name":"Remote Email Collection","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1565.003","name":"Runtime Data Manipulation","detectable":false},{"id":"T1669","name":"Wi-Fi Networks","detectable":false},{"id":"T1020","name":"Automated Exfiltration","detectable":true,"detections":"Sigma, Falco"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1114","name":"Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.001","name":"Local Email Collection","detectable":true,"detections":"Sigma"},{"id":"T1114.003","name":"Email Forwarding Rule","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"}],"technique_count":16,"detectable_count":11,"coverage_pct":68,"has_mapping":true,"is_enhancement":false},{"control_id":"DSP-15","title":"Limitation of Production Data Use","family":"DSP","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1586.003","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"}],"technique_count":17,"detectable_count":15,"coverage_pct":88,"has_mapping":true,"is_enhancement":false},{"control_id":"DSP-16","title":"Data Retention and Deletion","family":"DSP","techniques":[{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491","name":"Defacement","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1491.001","name":"Internal Defacement","detectable":true,"detections":"Sigma"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"}],"technique_count":9,"detectable_count":6,"coverage_pct":66,"has_mapping":true,"is_enhancement":false},{"control_id":"DSP-17","title":"Sensitive Data Protection","family":"DSP","techniques":[{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1609","name":"Container Administration Command","detectable":true,"detections":"Sigma"}],"technique_count":16,"detectable_count":14,"coverage_pct":87,"has_mapping":true,"is_enhancement":false},{"control_id":"HRS-03","title":"Clean Desk Policy and Procedures","family":"HRS","techniques":[{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1113","name":"Screen Capture","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"}],"technique_count":11,"detectable_count":7,"coverage_pct":63,"has_mapping":true,"is_enhancement":false},{"control_id":"I\u0026S-03","title":"Network Security","family":"I\u0026S","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"}],"technique_count":31,"detectable_count":22,"coverage_pct":70,"has_mapping":true,"is_enhancement":false},{"control_id":"I\u0026S-04","title":"OS Hardening and Base Controls","family":"I\u0026S","techniques":[{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"}],"technique_count":13,"detectable_count":12,"coverage_pct":92,"has_mapping":true,"is_enhancement":false},{"control_id":"I\u0026S-05","title":"Production and Non-Production Environments","family":"I\u0026S","techniques":[{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"I\u0026S-06","title":"Segmentation and Segregation","family":"I\u0026S","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"}],"technique_count":29,"detectable_count":25,"coverage_pct":86,"has_mapping":true,"is_enhancement":false},{"control_id":"I\u0026S-07","title":"Migration to Cloud Environments","family":"I\u0026S","techniques":[{"id":"T1020.001","name":"Traffic Duplication","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1557.002","name":"ARP Cache Poisoning","detectable":true,"detections":"Falco"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1565.002","name":"Transmitted Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":13,"detectable_count":11,"coverage_pct":84,"has_mapping":true,"is_enhancement":false},{"control_id":"I\u0026S-09","title":"Network Defense","family":"I\u0026S","techniques":[{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1071.002","name":"File Transfer Protocols","detectable":false},{"id":"T1071.003","name":"Mail Protocols","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1104","name":"Multi-Stage Channels","detectable":false},{"id":"T1132.002","name":"Non-Standard Encoding","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1602.001","name":"SNMP (MIB Dump)","detectable":false},{"id":"T1602.002","name":"Network Device Configuration Dump","detectable":false},{"id":"T1008","name":"Fallback Channels","detectable":true,"detections":"Sigma"},{"id":"T1029","name":"Scheduled Transfer","detectable":true,"detections":"CAR"},{"id":"T1040","name":"Network Sniffing","detectable":true,"detections":"Sigma, CAR"},{"id":"T1046","name":"Network Service Discovery","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.001","name":"Exfiltration Over Symmetric Encrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1071.004","name":"DNS","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.001","name":"Internal Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.002","name":"External Proxy","detectable":true,"detections":"Sigma"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1132","name":"Data Encoding","detectable":true,"detections":"Falco"},{"id":"T1132.001","name":"Standard Encoding","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1557","name":"Adversary-in-the-Middle","detectable":true,"detections":"Sigma"},{"id":"T1570","name":"Lateral Tool Transfer","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1571","name":"Non-Standard Port","detectable":true,"detections":"Sigma"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"}],"technique_count":40,"detectable_count":31,"coverage_pct":77,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-02","title":"Strong Password Policy and Procedures","family":"IAM","techniques":[{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1110.004","name":"Credential Stuffing","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1621","name":"Multi-Factor Authentication Request Generation","detectable":true,"detections":"Sigma"}],"technique_count":16,"detectable_count":12,"coverage_pct":75,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-03","title":"Identity Inventory","family":"IAM","techniques":[{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":3,"coverage_pct":75,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-04","title":"Separation of Duties","family":"IAM","techniques":[{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"}],"technique_count":4,"detectable_count":2,"coverage_pct":50,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-05","title":"Least Privilege","family":"IAM","techniques":[{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556.006","name":"Multi-Factor Authentication","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"}],"technique_count":28,"detectable_count":16,"coverage_pct":57,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-06","title":"User Access Provisioning","family":"IAM","techniques":[{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.001","name":"Group Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1505","name":"Server Software Component","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"}],"technique_count":24,"detectable_count":16,"coverage_pct":66,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-07","title":"User Access Changes and Revocation","family":"IAM","techniques":[{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1213.001","name":"Confluence","detectable":false},{"id":"T1213.002","name":"Sharepoint","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1548.005","name":"Temporary Elevated Cloud Access","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.001","name":"Remote Desktop Protocol","detectable":true,"detections":"Sigma, CAR"},{"id":"T1021.004","name":"SSH","detectable":true,"detections":"Sigma, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"}],"technique_count":17,"detectable_count":10,"coverage_pct":58,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-08","title":"User Access Review","family":"IAM","techniques":[{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":5,"detectable_count":4,"coverage_pct":80,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-09","title":"Segregation of Privileged Access Roles","family":"IAM","techniques":[{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":15,"detectable_count":12,"coverage_pct":80,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-10","title":"Management of Privileged Access Roles","family":"IAM","techniques":[{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":15,"detectable_count":12,"coverage_pct":80,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-11","title":"CSCs Approval for Agreed Privileged Access Roles","family":"IAM","techniques":[{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":14,"detectable_count":11,"coverage_pct":78,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-13","title":"Uniquely Identifiable Users","family":"IAM","techniques":[{"id":"T1036.010","name":"Masquerade Account Name","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1585.003","name":"Cloud Accounts","detectable":false},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1087.004","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1564.002","name":"Hidden Users","detectable":true,"detections":"Sigma"},{"id":"T1586.003","name":"Cloud Accounts","detectable":true,"detections":"Sigma"}],"technique_count":11,"detectable_count":8,"coverage_pct":72,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-14","title":"Strong Authentication","family":"IAM","techniques":[{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1556.007","name":"Hybrid Identity","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.002","name":"Domain Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1539","name":"Steal Web Session Cookie","detectable":true,"detections":"Sigma"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"}],"technique_count":19,"detectable_count":16,"coverage_pct":84,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-15","title":"Passwords Management","family":"IAM","techniques":[{"id":"T1110.003","name":"Password Spraying","detectable":false},{"id":"T1555.006","name":"Cloud Secrets Management Stores","detectable":false},{"id":"T1078","name":"Valid Accounts","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1078.003","name":"Local Accounts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1078.004","name":"Cloud Accounts","detectable":true,"detections":"Sigma"},{"id":"T1110","name":"Brute Force","detectable":true,"detections":"Sigma"},{"id":"T1110.001","name":"Password Guessing","detectable":true,"detections":"Sigma"},{"id":"T1110.002","name":"Password Cracking","detectable":true,"detections":"Sigma"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.001","name":"Credentials In Files","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1555.003","name":"Credentials from Web Browsers","detectable":true,"detections":"Sigma"},{"id":"T1555.005","name":"Password Managers","detectable":true,"detections":"Sigma"}],"technique_count":15,"detectable_count":13,"coverage_pct":86,"has_mapping":true,"is_enhancement":false},{"control_id":"IAM-16","title":"Authorization Mechanisms","family":"IAM","techniques":[{"id":"T1021.008","name":"Direct Cloud VM Connections","detectable":false},{"id":"T1070.008","name":"Clear Mailbox Data","detectable":false},{"id":"T1074.002","name":"Remote Data Staging","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1098.002","name":"Additional Email Delegate Permissions","detectable":false},{"id":"T1098.006","name":"Additional Container Cluster Roles","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1485.001","name":"Lifecycle-Triggered Deletion","detectable":false},{"id":"T1491.002","name":"External Defacement","detectable":false},{"id":"T1496.001","name":"Compute Hijacking","detectable":false},{"id":"T1496.002","name":"Bandwidth Hijacking","detectable":false},{"id":"T1496.004","name":"Cloud Service Hijacking","detectable":false},{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1535","name":"Unused/Unsupported Cloud Regions","detectable":false},{"id":"T1556.009","name":"Conditional Access Policies","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1578.001","name":"Create Snapshot","detectable":false},{"id":"T1578.002","name":"Create Cloud Instance","detectable":false},{"id":"T1578.004","name":"Revert Cloud Instance","detectable":false},{"id":"T1578.005","name":"Modify Cloud Compute Configurations","detectable":false},{"id":"T1602","name":"Data from Configuration Repository","detectable":false},{"id":"T1648","name":"Serverless Execution","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1671","name":"Cloud Application Integration","detectable":false},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1098.001","name":"Additional Cloud Credentials","detectable":true,"detections":"Sigma"},{"id":"T1098.003","name":"Additional Cloud Roles","detectable":true,"detections":"Sigma"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1098.005","name":"Device Registration","detectable":true,"detections":"Sigma"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1136.003","name":"Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1484","name":"Domain or Tenant Policy Modification","detectable":true,"detections":"Sigma"},{"id":"T1484.002","name":"Trust Modification","detectable":true,"detections":"Sigma"},{"id":"T1485","name":"Data Destruction","detectable":true,"detections":"Sigma, Falco"},{"id":"T1486","name":"Data Encrypted for Impact","detectable":true,"detections":"Sigma, IDS"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1496","name":"Resource Hijacking","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1531","name":"Account Access Removal","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1546","name":"Event Triggered Execution","detectable":true,"detections":"Sigma, CAR"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1550","name":"Use Alternate Authentication Material","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1555","name":"Credentials from Password Stores","detectable":true,"detections":"Sigma, Falco"},{"id":"T1556","name":"Modify Authentication Process","detectable":true,"detections":"Sigma, Falco"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1564","name":"Hide Artifacts","detectable":true,"detections":"Sigma, CAR"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1567.002","name":"Exfiltration to Cloud Storage","detectable":true,"detections":"Sigma"},{"id":"T1578","name":"Modify Cloud Compute Infrastructure","detectable":true,"detections":"Sigma"},{"id":"T1578.003","name":"Delete Cloud Instance","detectable":true,"detections":"Sigma"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"}],"technique_count":62,"detectable_count":36,"coverage_pct":58,"has_mapping":true,"is_enhancement":false},{"control_id":"IPY-02","title":"Application Interface Availability","family":"IPY","techniques":[{"id":"T1538","name":"Cloud Service Dashboard","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1671","name":"Cloud Application Integration","detectable":false},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1071.001","name":"Web Protocols","detectable":true,"detections":"Sigma"},{"id":"T1072","name":"Software Deployment Tools","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1098.004","name":"SSH Authorized Keys","detectable":true,"detections":"Falco"},{"id":"T1199","name":"Trusted Relationship","detectable":true,"detections":"Sigma"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"}],"technique_count":12,"detectable_count":9,"coverage_pct":75,"has_mapping":true,"is_enhancement":false},{"control_id":"IPY-03","title":"Secure Interoperability and Portability Management","family":"IPY","techniques":[{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1651","name":"Cloud Administration Command","detectable":false},{"id":"T1659","name":"Content Injection","detectable":false},{"id":"T1021","name":"Remote Services","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1021.007","name":"Cloud Services","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1133","name":"External Remote Services","detectable":true,"detections":"Sigma"},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1552.005","name":"Cloud Instance Metadata API","detectable":true,"detections":"Falco"},{"id":"T1552.007","name":"Container API","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1610","name":"Deploy Container","detectable":true,"detections":"Falco"}],"technique_count":16,"detectable_count":13,"coverage_pct":81,"has_mapping":true,"is_enhancement":false},{"control_id":"LOG-02","title":"Audit Logs Protection","family":"LOG","techniques":[{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"}],"technique_count":11,"detectable_count":5,"coverage_pct":45,"has_mapping":true,"is_enhancement":false},{"control_id":"LOG-04","title":"Audit Logs Access and Accountability","family":"LOG","techniques":[{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"}],"technique_count":8,"detectable_count":5,"coverage_pct":62,"has_mapping":true,"is_enhancement":false},{"control_id":"LOG-08","title":"Audit Logs Sanitization","family":"LOG","techniques":[{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1528","name":"Steal Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"}],"technique_count":3,"detectable_count":3,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"LOG-10","title":"Audit Records Protection","family":"LOG","techniques":[{"id":"T1070.002","name":"Clear Linux or Mac System Logs","detectable":false},{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1070.009","name":"Clear Persistence","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1562.008","name":"Disable or Modify Cloud Logs","detectable":false},{"id":"T1562.012","name":"Disable or Modify Linux Audit System","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1070.001","name":"Clear Windows Event Logs","detectable":true,"detections":"CAR"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1562.002","name":"Disable Windows Event Logging","detectable":true,"detections":"CAR"}],"technique_count":11,"detectable_count":5,"coverage_pct":45,"has_mapping":true,"is_enhancement":false},{"control_id":"STA-10","title":"Supply Chain Risk Management","family":"STA","techniques":[{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"}],"technique_count":7,"detectable_count":6,"coverage_pct":85,"has_mapping":true,"is_enhancement":false},{"control_id":"STA-16","title":"Supply Chain Data Security Assessment","family":"STA","techniques":[{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"}],"technique_count":4,"detectable_count":3,"coverage_pct":75,"has_mapping":true,"is_enhancement":false},{"control_id":"TVM-05","title":"Detection Updates","family":"TVM","techniques":[{"id":"T1656","name":"Impersonation","detectable":false},{"id":"T1068","name":"Exploitation for Privilege Escalation","detectable":true,"detections":"Sigma, CAR"},{"id":"T1210","name":"Exploitation of Remote Services","detectable":true,"detections":"Sigma, IDS"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"}],"technique_count":5,"detectable_count":4,"coverage_pct":80,"has_mapping":true,"is_enhancement":false},{"control_id":"TVM-06","title":"External Library Vulnerabilities","family":"TVM","techniques":[{"id":"T1176","name":"Software Extensions","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1195","name":"Supply Chain Compromise","detectable":true,"detections":"Sigma"},{"id":"T1195.001","name":"Compromise Software Dependencies and Development Tools","detectable":true,"detections":"Sigma"},{"id":"T1195.002","name":"Compromise Software Supply Chain","detectable":true,"detections":"Sigma, Falco"},{"id":"T1525","name":"Implant Internal Image","detectable":true,"detections":"Sigma"},{"id":"T1574","name":"Hijack Execution Flow","detectable":true,"detections":"Sigma, CAR"},{"id":"T1574.001","name":"DLL","detectable":true,"detections":"Sigma, CAR"}],"technique_count":9,"detectable_count":7,"coverage_pct":77,"has_mapping":true,"is_enhancement":false},{"control_id":"TVM-07","title":"Penetration Testing","family":"TVM","techniques":[{"id":"T1190","name":"Exploit Public-Facing Application","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1212","name":"Exploitation for Credential Access","detectable":true,"detections":"Sigma"},{"id":"T1499.004","name":"Application or System Exploitation","detectable":true,"detections":"Sigma"}],"technique_count":4,"detectable_count":4,"coverage_pct":100,"has_mapping":true,"is_enhancement":false},{"control_id":"UEM-05","title":"Endpoint Management","family":"UEM","techniques":[{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1535","name":"Unused/Unsupported Cloud Regions","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":21,"detectable_count":15,"coverage_pct":71,"has_mapping":true,"is_enhancement":false},{"control_id":"UEM-08","title":"Storage Encryption","family":"UEM","techniques":[{"id":"T1530","name":"Data from Cloud Storage","detectable":false},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1550.001","name":"Application Access Token","detectable":true,"detections":"Sigma"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1552.004","name":"Private Keys","detectable":true,"detections":"Sigma, YARA"},{"id":"T1565","name":"Data Manipulation","detectable":true,"detections":"Sigma, Falco"},{"id":"T1565.001","name":"Stored Data Manipulation","detectable":true,"detections":"Sigma"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","detectable":true,"detections":"Sigma"}],"technique_count":9,"detectable_count":8,"coverage_pct":88,"has_mapping":true,"is_enhancement":false},{"control_id":"UEM-09","title":"Anti-Malware Detection and Prevention","family":"UEM","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1092","name":"Communication Through Removable Media","detectable":false},{"id":"T1027","name":"Obfuscated Files or Information","detectable":true,"detections":"Sigma, IDS"},{"id":"T1036","name":"Masquerading","detectable":true,"detections":"Sigma, CAR, IDS"},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.001","name":"PowerShell","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.005","name":"Visual Basic","detectable":true,"detections":"Sigma, CAR"},{"id":"T1059.006","name":"Python","detectable":true,"detections":"Sigma"},{"id":"T1091","name":"Replication Through Removable Media","detectable":true,"detections":"Sigma"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1221","name":"Template Injection","detectable":true,"detections":"Sigma"},{"id":"T1543","name":"Create or Modify System Process","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1564","name":"Hide Artifacts","detectable":true,"detections":"Sigma, CAR"}],"technique_count":14,"detectable_count":11,"coverage_pct":78,"has_mapping":true,"is_enhancement":false},{"control_id":"UEM-10","title":"Software Firewall","family":"UEM","techniques":[{"id":"T1070.007","name":"Clear Network Connection History and Configurations","detectable":false},{"id":"T1071.005","name":"Publish/Subscribe Protocols","detectable":false},{"id":"T1205.002","name":"Socket Filters","detectable":false},{"id":"T1498.001","name":"Direct Network Flood","detectable":false},{"id":"T1498.002","name":"Reflection Amplification","detectable":false},{"id":"T1499.002","name":"Service Exhaustion Flood","detectable":false},{"id":"T1499.003","name":"Application Exhaustion Flood","detectable":false},{"id":"T1562.004","name":"Disable or Modify System Firewall","detectable":false},{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","detectable":false},{"id":"T1070","name":"Indicator Removal","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1071","name":"Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090","name":"Proxy","detectable":true,"detections":"Sigma, IDS"},{"id":"T1090.003","name":"Multi-hop Proxy","detectable":true,"detections":"Sigma"},{"id":"T1095","name":"Non-Application Layer Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1205","name":"Traffic Signaling","detectable":true,"detections":"IDS"},{"id":"T1205.001","name":"Port Knocking","detectable":true,"detections":"Falco"},{"id":"T1219","name":"Remote Access Tools","detectable":true,"detections":"Sigma, IDS"},{"id":"T1219.002","name":"Remote Desktop Software","detectable":true,"detections":"Sigma"},{"id":"T1498","name":"Network Denial of Service","detectable":true,"detections":"Sigma, IDS"},{"id":"T1499","name":"Endpoint Denial of Service","detectable":true,"detections":"Sigma"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1572","name":"Protocol Tunneling","detectable":true,"detections":"Sigma, IDS"},{"id":"T1590.002","name":"DNS","detectable":true,"detections":"Sigma"}],"technique_count":23,"detectable_count":14,"coverage_pct":60,"has_mapping":true,"is_enhancement":false},{"control_id":"UEM-11","title":"Data Loss Prevention","family":"UEM","techniques":[{"id":"T1025","name":"Data from Removable Media","detectable":false},{"id":"T1048.002","name":"Exfiltration Over Asymmetric Encrypted Non-C2 Protocol","detectable":false},{"id":"T1052","name":"Exfiltration Over Physical Medium","detectable":false},{"id":"T1052.001","name":"Exfiltration over USB","detectable":false},{"id":"T1567.004","name":"Exfiltration Over Webhook","detectable":false},{"id":"T1005","name":"Data from Local System","detectable":true,"detections":"Sigma, IDS, Falco"},{"id":"T1020","name":"Automated Exfiltration","detectable":true,"detections":"Sigma, Falco"},{"id":"T1041","name":"Exfiltration Over C2 Channel","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","detectable":true,"detections":"Sigma, IDS"},{"id":"T1048.003","name":"Exfiltration Over Unencrypted Non-C2 Protocol","detectable":true,"detections":"Sigma"},{"id":"T1119","name":"Automated Collection","detectable":true,"detections":"Sigma"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1567","name":"Exfiltration Over Web Service","detectable":true,"detections":"Sigma, IDS"}],"technique_count":13,"detectable_count":8,"coverage_pct":61,"has_mapping":true,"is_enhancement":false},{"control_id":"UEM-14","title":"Third-Party Endpoint Security Posture","family":"UEM","techniques":[{"id":"T1080","name":"Taint Shared Content","detectable":false},{"id":"T1204.003","name":"Malicious Image","detectable":false},{"id":"T1213.004","name":"Customer Relationship Management Software","detectable":false},{"id":"T1535","name":"Unused/Unsupported Cloud Regions","detectable":false},{"id":"T1550.004","name":"Web Session Cookie","detectable":false},{"id":"T1606.001","name":"Web Cookies","detectable":false},{"id":"T1666","name":"Modify Cloud Resource Hierarchy","detectable":false},{"id":"T1059","name":"Command and Scripting Interpreter","detectable":true,"detections":"Sigma, CAR, IDS, Falco"},{"id":"T1059.009","name":"Cloud API","detectable":true,"detections":"Sigma"},{"id":"T1087","name":"Account Discovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1098","name":"Account Manipulation","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1136","name":"Create Account","detectable":true,"detections":"Sigma, CAR"},{"id":"T1204","name":"User Execution","detectable":true,"detections":"Sigma, CAR, Falco"},{"id":"T1211","name":"Exploitation for Stealth","detectable":true,"detections":"Sigma"},{"id":"T1213","name":"Data from Information Repositories","detectable":true,"detections":"Sigma"},{"id":"T1490","name":"Inhibit System Recovery","detectable":true,"detections":"Sigma, CAR"},{"id":"T1537","name":"Transfer Data to Cloud Account","detectable":true,"detections":"Sigma"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","detectable":true,"detections":"Sigma, CAR"},{"id":"T1552","name":"Unsecured Credentials","detectable":true,"detections":"Sigma, CAR, IDS, YARA, Falco"},{"id":"T1562","name":"Impair Defenses","detectable":true,"detections":"CAR"},{"id":"T1562.001","name":"Disable or Modify Tools","detectable":true,"detections":"CAR"},{"id":"T1606","name":"Forge Web Credentials","detectable":true,"detections":"Sigma, CAR"}],"technique_count":22,"detectable_count":15,"coverage_pct":68,"has_mapping":true,"is_enhancement":false}],"families":[{"family":"AIS","controls":6,"controls_with_mapping":6,"distinct_techniques":42,"detectable_techniques":31,"coverage_pct":73},{"family":"BCR","controls":1,"controls_with_mapping":1,"distinct_techniques":10,"detectable_techniques":6,"coverage_pct":60},{"family":"CEK","controls":1,"controls_with_mapping":1,"distinct_techniques":14,"detectable_techniques":11,"coverage_pct":78},{"family":"DCS","controls":5,"controls_with_mapping":5,"distinct_techniques":34,"detectable_techniques":18,"coverage_pct":52},{"family":"DSP","controls":6,"controls_with_mapping":6,"distinct_techniques":56,"detectable_techniques":45,"coverage_pct":80},{"family":"HRS","controls":1,"controls_with_mapping":1,"distinct_techniques":11,"detectable_techniques":7,"coverage_pct":63},{"family":"I\u0026S","controls":6,"controls_with_mapping":6,"distinct_techniques":65,"detectable_techniques":53,"coverage_pct":81},{"family":"IAM","controls":14,"controls_with_mapping":14,"distinct_techniques":104,"detectable_techniques":67,"coverage_pct":64},{"family":"IPY","controls":2,"controls_with_mapping":2,"distinct_techniques":24,"detectable_techniques":19,"coverage_pct":79},{"family":"LOG","controls":4,"controls_with_mapping":4,"distinct_techniques":14,"detectable_techniques":8,"coverage_pct":57},{"family":"STA","controls":2,"controls_with_mapping":2,"distinct_techniques":7,"detectable_techniques":6,"coverage_pct":85},{"family":"TVM","controls":3,"controls_with_mapping":3,"distinct_techniques":15,"detectable_techniques":12,"coverage_pct":80},{"family":"UEM","controls":6,"controls_with_mapping":6,"distinct_techniques":72,"detectable_techniques":49,"coverage_pct":68}],"total_controls":57,"controls_with_mapping":57,"distinct_techniques":213,"detectable_techniques":140,"overall_coverage_pct":65,"unmapped_enhancements":0,"no_mappings_at_all":false}