Active Detection of Advanced Persistent Threats
- Windows - Windows 7 machines using Sysmon and Winlogbeat to send log data to the SEIM
- Elk - ELK server collects log data from the Workstations and forwards logs to the API for our tool
- API - Stores logs for analysis and retrieves them for the frontend webserver
- Analysis Engine - Queries the database and implements our probabilistic model on the log data
- Web Console - Provides an interface for interacting with results from the analysis engine
Additional info:
Source: B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, “MITRE ATT&CK: Design and Philosophy,” MITRE Corporation, 2018.