Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Editing MITRE Mappings in a Rule or Building Block

Create your own rule and building block mappings or modify IBM QRadar default mappings to map your custom rules and building blocks to specific tactics and techniques.

  1. In the report section of the Use Case Explorer page, select the relevant rule.
    Tip:

    Filter on the rule name, tactic, or technique to find the rule you want to edit or search by using a regular expression. You can also use the Group filter to select the group you want to search, such as authentication or compliance.
  2. On the Investigate rules page, click the pencil icon in the MITRE ATT&CK section.
  3. On the MITRE ATT&CK Mapping page, customize rule-mapping options by either adding new tactics or editing existing ones.
    Tip:

    The MITRE ATT&CK Mapping page shows only the mappings that are directly related to a rule. You can see mappings that the rule inherited from its dependencies in the rule details section of the Investigate rules page or in the report on the Use Case Explorer page.

    1. To add or remove tactics with the rule or building block, click the plus sign icon, select the relevant tactics, and then click Apply.

    2. To add or remove techniques for a tactic, click the plus sign icon for the tactic, select the relevant techniques, and then click Apply.

    3. To add or remove sub-techniques for a technique, click the plus sign icon for the technique, select the relevant sub-techniques, and then click Apply.

      Sub-techniques are identified by a dot in the ID, such as "T1003.002 Security Account Manager".

    4. To include the tactic and technique in the heat map calculation, keep the Enable checkbox selected.

    5. Select the confidence level for each tactic and click Save. You must set a confidence level; otherwise, you can't save the mapping.

    6. To reset to the IBM default mappings, click the Reset icon in the Tactics or Techniques columns.

  4. After you finish customizing your mappings, click Save or Save and close to return to the Use Case Explorer page.
  5. To see the relationships between the rules and their mappings in the rule report, complete the following steps:
    1. Click the gear icon in the rule report menu bar and add the Mapping source column to the report.
      Tip:

      Either search or scroll down the window to find the column.
    2. Add the Tactic or the Tactic (at rule level only) column.

      The Tactic column shows all the tactics that are directly mapped to the rule, including the mappings to BBs and rules in the rule’s dependencies list.

      The Tactic (at rule level only) column shows only the tactics that are mapped directly to the rule, excluding the mappings to BBs and rules in the rule’s dependencies list.

    3. Add the Technique or the Technique (at rule level only) column.

      The Technique column shows all the techniques that are directly mapped to the rule, including the mappings to BBs and rules in the rule’s dependencies list.

      The Technique (at rule level only) column shows only the techniques that are mapped directly to the rule, excluding the mappings to BBs and rules in the rule’s dependencies list.

    4. Add the Sub-Technique or the Sub-technique (at rule level only) column.

      The Sub-Technique column shows all the sub-techniques that are directly mapped to the rule, including the mappings to BBs and rules in the rule’s dependencies list.

      The Sub-technique (at rule level only) column shows all the sub-techniques that are mapped directly to the rule, excluding the mappings to BBs and rules in the rule’s dependencies list.

    5. In the Selected columns section of the window, drag the columns in the order that you want them displayed in the report and click Apply.

If you create content extensions for the IBM Security App Exchange, and you want to map rules in them, export the mappings and upload them when you submit your content.

To edit multiple rules or building blocks at one time, see Editing MITRE Mappings in Multiple Rules or Building Blocks.

Related Documentation