Collection Management Framework

The Collection Management Framework (CMF) is a tool to understand what data sources you currently use in your threat intelligence program, and the value you gain from those sources.

Use with Intelligence Requirements

When developing your Intelligence Requirements (IRs), it’s helpful to know what data sources would enable you to answer the key intelligence questions in the IRs, which is where the CMF comes into play. With your CMF, you can quickly and easily understand if you posess the right data in your environment to confidently answer the questions in the IRs.

Use with Threat Hunts

Similarly, when conducting your threat hunts, it’s important to know what data sources you have at your disposal, since you’ll be able to quickly tell if you’ll be able to detect or find the information you are after. If there is a new detection rule released for an RCE vulnerability and it requires PCAP data, you can quickly tell if you currently have PCAP collection, and if not, you’ll know you probably won’t be able to succesfully hunt for this activity. As with IRs, measuring your sources against their use will help you prioritize what sources get matured. Using both IRs and hunts as input will help you measure what is the most critical sources.

Maturity Model

Alongside the CMF, lives the Maturity Model, which is a tool to measure the stage in which you are utilizing your CMF. This ranges from immature phases and actions such as one-off queries through the CLI or ad-hoc queries in the UI, to more advanced maturity levels where there are automated processes in place to automatically utilize the dataset.
Look at what sources are utilized most in your IRs which will help prioritize leveling up the sources that aren’t as mature as other sources not typically used

Maturity Model Levels

These levels are taken from this blog which lists the various areas of maturity for each data sources, but more succintly, the following guidelines are used when defining sources, however, how you define these are up to you.

Initial

We can query the dataset ad-hoc through the GUI or CLI. Useful for data enrichment

Repeatable

The data source is readily available to use through internal toolset

Defined

There is clear documentation on how to use the data source as well as SOP’s in place for using the data

Managed

Metrics inform the quality of data we are getting from the collection source

Optimizing

We are able to innovate and enable new methods of pivoting and searching with the collection source

Collection Sources

Under the Collection menubar item is Collection Sources, in this tab you’ll find all the data sources contained in your CMF, as well as two helpeful dashboards. One is the “Top Sources Utilized in Intelligence Requirements”, and the other is “Top Sources Utilized in Threat Hunts”. Each of these graphs show you what sources are being used in their respective areas. maturitymodel Using these graphs you can quickly understand what sources are being used the most, which typically would inform what sources you should prioritize maturing.