Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Visualizing MITRE Tactics and Techniques that are Detected in a Specific Timeframe

 

Tune your rules by the MITRE ATT&CK tactics and techniques that are detected in your environment within a specific timeframe. QRadar Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe.

If you want to filter by MITRE ATT&CK tactics, you must first map your rules to MITRE tactics and techniques. For more information, see Editing MITRE Mappings in a Rule or Building Block.

The more filters that you apply to the rules, the more fine-tuned the list of results you get. QRadar Use Case Manager uses the OR condition within the options of one filter group, and uses the AND condition across multiple groups of filters. Any column that you can filter on can also be added to the rule report through the column selection feature (gear icon).

  1. On the Use Case Explorer page, click ATT&CK Actions >Detected in timeframe.
  2. Select a content template.

    If you don't select a template, the default template (ATT&CK tactics and techniques detected in offenses in the last 24 hours) is used.

  3. If you want to change the timeframe, in the Offenses filter, select a timeframe or a specific interval to filter the offenses.
  4. Fine-tune the report by excluding different types of offenses as needed in the Offenses filter.
  5. Select from the filters in the MITRE ATT&CK section. The following options are available to filter:

    Tactics - Select tactics from the list. For example, an Initial Access tactic is used by adversaries who are trying to get into your network.

    Technique - Select techniques from the list. The techniques are pre-filtered to match the selected tactic. For example, an Account Discovery technique occurs when adversaries attempt to get a list of your local system or domain accounts.

    Mapping confidence - Indicates mappings that are assigned a specific level of confidence for rule coverage.

    Mapping enabled - Indicates for each rule whether the mapping between the tactic or technique and rules is turned on. Mappings that are not enabled are not added to the technique coverage heat map.

  6. To update the rule report with your filters, click Apply Filters.
  7. QRadar Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe.

    Scroll through the heat map visualization to see the different techniques that are affected by those rules. For more information, see MITRE Heat Map Calculations.