# Workspace

The Workspace provides insights into your current detective control coverage. It helps your analyst, purple team, or detection engineer will spend most of their time learn about, test, measure, and track all the tactics, techniques, and Procedures associated with your Operation.

As data populates the Workspace (see Procedure group and Procedure details, below), it updates the two summary charts in real time. These charts illustrate what coverage you have at each major visibility level and at each phase of the cyber kill chain. They also allows you to understand where there might be major breakdowns and prioritize remediation, update tools, and/or update staff.

# Overall Coverage Summary

The Overall Coverage Summary graph shows a breakdown of percentages or a count of your missed vs covered Procedures.

Select the hamburger menu to view the chart in full screen, print the chart, or download an image or CSV file of the graph.

Hover over any bar to put focus on the overall coverage summary by missed or covered procedures.

# Overall Coverage Summary by Tactic

The Overall Coverage Summary by Tactic graph shows your coverage in either percentage or count by tactic.

In the upper right-hand corner, you can select different graph views (bar, horizontal bar plot, scatter plot, and radar).

Select the hamburger menu to view the chart in full screen, print the chart, or download an image or CSV file of the graph.
Hover over any bar to put focus on a specific status for all the tactics.

# Procedure group table (lower left quadrant)

The Procedure group table displays procedures grouped by attack flow or MITRE attack tactics.

Here you can:

Export/download the procedures in any of the following formats: CSV, JSON, and PDF by selecting the export icon
Select the expand icon to the left of an individual procedure group to expand and display the individual procedures in the group.

# Procedure details group (lower right quadrant)

Use the following steps to access the Procedure details group.

Select any row in the Procedure group table to display details for that procedure in the right lower quadrant of the page. It encompasses five tabs of organized procedure details: Visibility, Details, Activity Log, Files, and Tags.
Use the table controls in the top right corner to expand , contract , or close the group.

The information included in each tab is described below.

# Visibility tab

The Visibility tab provides data on a specific tactic (Persistence in the example below) with the specific procedure referenced below it.

You can mark the procedure as an acceptable risk, check the procedure level status, and view the procedure's data sources.

Levels are your visibility into what you can see and to what degree in the BAS plays.

Is the activity logged?
Does that log feed into detection? (Indicating there's something unusual happening in your environment but we're not sure if it's bad or not.)
Is that detection flowing into an alert that should have someone react to it?
Is that alert triggering some type of response ticket to the incident response team to trigger a triage action?
One resolved, are prevention measures put in place to prevent future breaches of this nature?

# Editing the Visibility tab options

You can edit the Visibility tab to update the accepted risk, detection levels, and data sources.

Select the Edit icon in the upper right corner of the Visibility tab to enter edit mode.
Make one or more of the following edits as needed:
- Select or clear the Accepted Risk button to indicate a vulnerability can be marked as an "Accepted Risk" and will no longer appear as a threat in need of remediation.
- Select the button beneath any/all of the Levels options to indicate to what degree you prefer a discovered vulnerability should be logged, detected, alerted, responded, or prevented.
- Select the Add Row bar button in the Data Sources field group to add one or more data source details
- Add a comment in the Comment field to document your editing choices, using the full text editor that supports text formatting, including code snippets, image uploads, links, tables, and timestamps.
Select Save to save your changes.

Note

See the BAS glossary for further details and definitions of the terms above.

# Details tab

The Details tab contains educational information on what the attack is, why it's meaningful, how to execute it manually, and how to develop detections for it.

It includes the name of the Procedure, the Detection Coverage levels and their statuses, description, business impact, verification instructions, references and tags associated with that Procedure.

# Activity Log tab

When you run a play the Activity Log tracks all your play executions. This tab shows a history of the selected Procedure. It also allows you to add and view comments.

Select the BAS Comment icon to display a Comment field with rich text editing and support for adding links and uploading images.
Once you complete entering your comment, select Post to close the field with your comment displayed.

# Files tab

The Files tab is where you upload files related to the procedure.

# Tags tab

The tags information supplied here tells you why you should care about this particular play. Types of tags that display here are grouped in to categories that are associated with the selected Procedure: Global, Threat Actor, and Tool and Malware.

The BAS module focuses on solid behavior-based test cases. In the example above, this play is known to be used by 31 threat actors and this is why you should care.