MITRE ATT&CK Mappings and Visualization
The MITRE ATT&CK framework represents adversary tactics that are used in a security attack. It documents common tactics, techniques, and procedures that can be used in advanced persistent threats against enterprise networks.
The following phases of an attack are represented in the MITRE ATT&CK framework:
MITRE ATT&CK Tactic
Gain entry to your environment.
Run malicious code.
Gain higher-level permissions.
Steal login and password information.
Figure out your environment.
Move through your environment.
Command and Control
Contact controlled systems.
Workflow for MITRE ATT&CK mapping and visualization
Create your own rule and building block mappings in QRadar Use Case Manager, or modify QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.
Save time and effort by editing multiple rules or building blocks at the same time, and by sharing rule-mapping files between QRadar instances. Export your MITRE mappings (custom and IBM default) as a backup of custom MITRE mappings in case you uninstall the app and then decide later to reinstall it. For more information, see Uninstalling QRadar Use Case Manager.
After you finish mapping your rules and building blocks, organize the rule report and then visualize the data through diagrams and heat maps. Current and potential MITRE coverage data is available in the following reports: Detected in timeframe report, Coverage map and report, and Coverage summary and trend.
Create your own rule and building block mappings or modify QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.
Save time and effort by editing multiple rules or building blocks at the same time.
Save time and effort when mapping rules and building blocks to tactics and techniques by sharing rule-mapping files between QRadar instances.
Visualize the coverage of MITRE ATT&CK tactics and techniques that the rules provide in QRadar. After you organize the rule report, you can visualize the data through diagrams and heat maps and export the data to share with others.
Tune your rules by the MITRE ATT&CK tactics and techniques that are detected in your environment within a specific timeframe. QRadar Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe.
The colors in the MITRE heat maps are calculated based on the number of rule mappings to a tactic or technique plus the level of mapping confidence (low, medium, or high).