Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


MITRE ATT&CK Mapping and Visualization

The MITRE ATT&CK framework represents adversary tactics that are used in a security attack. It documents common tactics, techniques, and procedures that can be used in advanced persistent threats against enterprise networks.

The following phases of an attack are represented in the MITRE ATT&CK framework:



Initial Access

Gain entry to your environment.


Run malicious code.


Maintain foothold.

Privilege Escalation

Gain higher-level permissions.

Defense Evasion

Avoid detection.

Credential Access

Steal login and password information.


Figure out your environment.

Lateral Movement

Move through your environment.


Gather data.


Steal data.

Command and Control

Contact controlled systems.

Workflow for MITRE ATT&CK mapping and visualization

Create your own rule and building block mappings in QRadar Use Case Manager, or modify QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.

Save time and effort by editing multiple rules or building blocks at the same time, and by sharing rule-mapping files between QRadar instances. Export your MITRE mappings (custom and IBM default) as a backup of custom MITRE mappings in case you uninstall the app and then decide later to reinstall it. For more information, see Uninstalling QRadar Use Case Manager.

After you finish mapping your rules and building blocks, organize the rule report and then visualize the data through diagrams and heat maps. Current and potential MITRE coverage data is available in the following reports: Detected in timeframe report, Coverage map and report, and Coverage summary and trend.