Not all of the finding types in AWS GuardDuty are currently mapped.

[pengfei093]

While AWS GuardDuty has 116 finding types, the current Mitre TTP mapping only covers 68 of them.
To address this gap, I have created a spreadsheet for further analysis and welcome others to join and contribute.
You can access the spreadsheet here: https://docs.google.com/spreadsheets/d/1zUkAopFpIEngz_u9qFfNy457vYPiVj73CMb_KRn81kA/edit#gid=0.

For reference, you can find the complete list of AWS GuardDuty finding types here:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html

[tiffb]

Hi pengfei093,
Thank you for sharing your input and mappings with the Center towards expanding the current AWS to ATT&CK mapping repository. We’re always interested in providing additional resources to help the community make threat-informed decisions and appreciate your submission. We plan to review your contributions in relation to the project methodology and scoping decisions, in consideration for inclusion in the Center’s mapping repository.

[pengfei093]

Hi Tiffany, Thank you for taking the time to review my mappings. I have a question: Does Mitre have any open-source projects that can assist with this task? For instance, are there any existing tools or libraries that can automate this mapping process using NLP methods? If not, do you have plans to develop one in the future? I believe such an initiative would be valuable for the security field. Thank you, Best regards, Peng Fei

…

On Wed, Mar 1, 2023 at 2:51 PM Tiffany Bergeron ***@***.***> wrote: Hi pengfei093, Thank you for sharing your input and mappings with the Center towards expanding the current AWS to ATT&CK mapping repository. We’re always interested in providing additional resources to help the community make threat-informed decisions and appreciate your submission. We plan to review your contributions in relation to the project methodology and scoping decisions, in consideration for inclusion in the Center’s mapping repository. — Reply to this email directly, view it on GitHub <#177 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUZKZNWICPWSBMHO3EMOZ5LWZ7HI3ANCNFSM6AAAAAAVLMWRQY> . You are receiving this because you authored the thread.Message ID: <center-for-threat-informed-defense/security-stack-mappings/issues/177/1450972977 @github.com>

[tiffb]

While we certainly see the value in NLP, that is not in scope at this time. On the surface the Center's security capability mapping work may seem like a simple effort, but in reality the investment is not insignificant. The mapping work involves carefully analyzing the details of the each capability or control to determine the associated ATT&CK techniques in order to provide a curated knowledge base of mappings between them.