Security Technologies Settings Page
The Security Technologies Settings page is where you view and create rules for identifying security technologies in your environment and add logos for the security technologies. To access this page, go to Settings > Director Settings. Then select Security Technologies.
Security Technologies settings
When jobs are processed, the platform examines the events culled from integrations and compares the fields to the security technology definitions. The Validation Platform comes pre-populated with definitions for the common security technologies. The technologies that are identified are populated in the Security Technologies tables under Environment > Security Technologies. Their logos will also appear on the map.
If you have a security technology that the Validation Platform does not have a definition for, you can create new rules. If you are comfortable working with JSON, you can write these in the Client-specific Config area of this page. If you do not want to write it out using JSON and you have a Job with events that don't have a defined security technology, you can also use the EVP process. This can be started from Job Results or from the Gauges. See Creating New Security Technology Definitions for more information.
Network Security Technology Definitions
The network security technology definitions include the following sections.
Technology:
Entry that provides overview details of the security technology, such as vendor, product, security technology type, and optional entries like description, logo, and version
Prevention:
Entry that populates if prevention is possible for that technology
Entries that show how integrations know that the security technology blocked a behavior or attack
NOTE: This section is optional.
Discovery:
Entries that represent how integrations identify or discover the security technology, which include the following:
type: How integrations identify the security technology (this will always be "field")
field: Name of the field where the information comes from
value: Value in the field
The following figure shows an example of one of the Validation Platform's pre-configured network security technology definitions.
Example of a Network Security Technology Definition
Endpoint Security Technology Definitions
Endpoint security technology definitions include the following sections:
Technology:
Entry provides overview details
Discovery:
Entries that represent how the security technology is discovered. This includes the type, which is how the integrations identify the security technology (this could be file_exists, directory_exists, service_exists, or program installed).
NOTE: Additional fields will be included based on how the "type" field is populated.
Logs:
Entry identifies the log type and source that the Validation Platform pulls events from and lists any logs on the operating system where events could be found.
This determines where we look for host events on an Actor when running Host CLI Actions. This can come from Windows event logs or a flat log file. In the config, a logs item must have a
typekey that can be eitherevent_logorfile. Depending on the type value, we require different additional fields.For
event_logtype items:value: this is the log name, for example, "Application" or "Security"filter: this is a dictionary with a single keysource, which is a list of log source values to filter by. The log source value corresponds to the Name attribute of the System Provider field in Windows event logs. There's an example of this later in this section.
For
filetype items:value: this is the filepath of the log file to checkregex: a multi-line Python-compatible regex used to parse log entries. Named groups must use the syntax(?P<group name>). We will respect the following list of group names in the regex, although you can include additional ones, if appropriate:computer
message
src_log_file
log_name
event_id
category
event_type
user
opcode
keywords
Prevention:
Entries that represent how the Validation Platform knows the security technology blocked a behavior or attack
NOTE: This section is optional.
An example of one of the Validation Platform's pre-configured endpoint security technology definitions is available in .
Example of an Endpoint Security Technology Definition
Creating New Security Technology Definitions
If you have a security technology that the Validation Platform does not have a definition for, or for which information is missing, you can manually add the security definition. This can be for a new security technology or to add information to an existing technology. If you are comfortable working with JSON, you can write these in the Client-specific Config area of this page.
If you do not want to write it out using JSON and you have a Job with events that don't have a defined security technology, you can also use the EVP process, which includes using existing events and the forms that are part of EVP. You can create new network and endpoint security technology definitions using the template in the Security Technology settings by switching the text to the other option. You can use the parsed event to populate the definitions. See Effectiveness Validation Process (EVP) for more information.
For example, you can add definitions for how the integrations discover the security technology (represented by the 
icon) or how the integrations identify when the security technology prevented/blocked a test (represented by the 
icon).
Access this form by clicking on one of the following options:
The security technology icon (or +) from an event in a Job
The unknown technology process for the Gauges
The filtered Jobs list for the MITRE Dashboard
unpopulated form
populated form
As customers send us their custom definitions, we will review and integrate them into the pre-defined definitions as appropriate.