Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Sharing MITRE-mapping Files

Save time and effort when mapping rules and building blocks to tactics and techniques by sharing rule-mapping files between QRadar instances.

The export capability provides MITRE mappings directly to rules only, not their dependencies. If you use the default MITRE-related templates on the Use Case Explorer page, you can see the direct mappings to the rules and their dependencies. You can also customize the template to see only the direct mappings if necessary. For more information, see Customizing Report Content Templates.

Use the Export option to create backups of the mappings in your environment. You can also use the Export and the Import options to move rules from one deployment to another, rather than manually copying the rules.

  1. To export MITRE mappings use the following steps:

    1. On the Use Case Explorer page, click ATT&CK Actions >Export.

    2. Select which MITRE mappings you want to export: All or Export mappings to rules or building blocks in current view.

    3. Select one of the following export formats:

      • Export to a JSON file that can be imported in QRadar Use Case Manager. Use this option to create a backup of your mappings, or to move the mappings and their corresponding rules to another QRadar deployment.

      • Export information about MITRE coverage to a JSON file that can be imported as a layer into the MITRE ATT&CK Navigator.

    4. Click Export.

  2. To exportmappings from the MITRE ATT&CK Mapping page, see step 5 in Editing MITRE Mappings in Multiple Rules or Building Blocks.
  3. To import a rule mappings file, use the following steps:

    1. On the Use Case Explorer page, click ATT&CK Actions >Import.

    2. Click the import icon, browse to the file location on your system and select the file, and then click Import.

Related Documentation