Scoring Table
Scoring Table
None N/A
None N/A
Small number of aspects of the technique Bypassing (evasion/obfuscation) could be
possible
More aspects of the technique compared to Bypassing (evasion/obfuscation) could be
"1/Basic" possible
Many known aspects of the technique Bypassing (evasion/obfuscation) could be
possible
Almost all known aspects of the technique Bypassing (evasion/obfuscation) is hard
N/A N/A
N/A N/A
High Possibly high
Data field completeness Indicates to what degree the Are all the required data fields
data has the required in the event present and
information/fields, and to what contain data to perform my
degree those fields contain investigation?
data.
Retention Indicates how long the data is For how long is the data
stored compared to the available?
desired data retention period.
How long do you want to keep
the data?
Example
We are missing event data for
endpoints running an older
version of Windows.
4 - Very good Data source is available from Required fields are available
76-99% of the devices. from 76-99%.
5 - Excellent Data source is available for Required fields are available
100% of the devices. for 100%.
Timeliness Consistency Retention
Do not know / not documented Do not know / not documented
/ not applicable / not applicable Do not know / not documented
/ not applicable
It takes a long time before the 1-50% of the fields are Data retention is within 1-25%
data is available. standardized in name and type. of the desired period.