Docs
Start typing to search…

Events by MITRE ATT&CK

Suggest Edits

The Events by MITRE page provides a heat map and table that organizes events into MITRE ATT&CK® Framework tactics and techniques. Each column represents a Tactic, with the Techniques related to that Tactic listed beneath. A technique can be associated with multiple tactics, so you can see events that appear in more than one cell in the heat map.

Events by MITRE ATT&CK® heat map

Events by MITRE ATT&CK® heat map

The legend in the top right shows how the heat map will shade the cells based on the number of events. Tactics with more events are in a lighter shade of blue, while tactics with smaller number of events are in a darker blue.

You can click on a tactic in the heat map to filter the event table below it to only show events for that tactic. Click the tactic again, or select the Clear All button above the event table to return to seeing all tactics.

Relationship to Detection Categories

Netography Detection Models (NDMs) can have one or more Detection Categoriesassigned to them. You can view this in the Detection Model Configuration. If the detection category is a valid MITRE ATT&CK technique (i.e. it is in the format t0000), it will appear in the appropriate cell in the heat map, and the technique column in the event table below will show this information.

The MITRE ATT&CK tactic (the column headers in the heat map) are derived from the technique, based on MITRE's mapping. Therefore, you will not see the tactic directly listed in the NDM configuration.

Event Record Details

If you are working directly with event records (eg you are using a Response Integration to send an event to another system and then parsing the event, or you click the Raw Record button in the Event Details page), you will see there are additional fields related to MITRE ATT&CK that are included in the event record.

Each detection category that corresponds to a MITRE ATT&CK technique is written to the mitre object in the JSON event record when the event is created, with the name and ID of each technique, its corresponding tactic, and the relationship between the tactic and technique.

An example of the mitre section of an event record:

"mitre": {
    "tactics": {
      "ids": [
        "TA0008"
      ],
      "names": [
        "Lateral Movement"
      ]
    },
    "techniques": {
      "ids": [
        "t1021"
      ],
      "names": [
        "Remote Services"
      ]
    },
    "hierarchy": [
      "t1021:TA0008"
    ]
 }

Compare that to the Detection Categories array in the event record for this same event, which contains only the category name:

  "categories": [
    "t1021"
  ],

Although you could derive all of the information in the mitre object yourself based solely on the detection category name, this mapping included directly in the event record to simplify using MITRE ATT&CK tactics and techniques.

Updated 4 days ago

Did this page help you?