Update ArtifactRegistry.yaml

[hashcat3]

Each of the controls are categorized as Protect, though each of their comments mentions that once the control is deployed, it can Detect nefarious activity. Should the said controls be mapped to both a Protect and Detect categories? With the given description I'd recommend Detect only. Example: Compare T1068 with T1212.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[rossj-en]

Taking a look and will review today.

[jadriangg1]

@hashcat3 To answer your question, these are labeled correctly as it best matched our scoring rubric's definitions for security controls, but I'll modify the language to avoid similar confusion in the description:

• Protect is a security control's ability to prevent or minimize the impact of the execution of an ATT&CK.
• Detect a security control's ability to detect the execution of an ATT&CK (sub-)technique.

For example, a vulnerability scanning capability would be categorized as Protect, where real-time indicators of compromise alerts in a SIEM dashboard would be categorized as Detect. I hope this helps. If you have any questions or comments, please feel free to reach out. Ty!

Reference: https://github.com/center-for-threat-informed-defense/security-stack-mappings/blob/main/docs/scoring.md

[jadriangg1]

Instead of changes to the category field, we should change all comments to replace detect with identify.