Learn how to effectively validate ATT&CK technique coverage through EDR telemetry in this 52-minute technical talk from Red Canary's Detection Validation Engineers. Explore the fundamentals of EDR telemetry analysis at scale and discover methods for breaking down ATT&CK techniques into individual data components. Master functional testing approaches and understand how specific actions translate to telemetry records across different EDR sensors. Gain practical knowledge about tooling that supports test execution and telemetry analysis, while learning to establish automated validation workflows for security teams. Examine real-world examples demonstrating where EDR telemetry succeeds and fails in detecting ATT&CK techniques, drawing from experience handling nearly a petabyte of daily endpoint telemetry. Discover how to initiate system validation processes and leverage the ATT&CK framework as an effective validation discussion tool.
Overview
Syllabus
Tidying up your nest: Validating ATT&CK technique coverage using EDR telemetry
Taught by
Red Canary