Skip to main content
Version: 6.0

MITRE ATT&CK

Description

The module is designed to identify and analyze cyberattacks on an organization using tactics and techniques from the MITRE ATT&CK knowledge base. All tactics and techniques contain a detailed description of the attacker's behavior model required for configuring correlation rules. Information about current tactics and techniques is loaded into Search Anywhere Framework when the module is installed.

Please note!

Correlation rules must be created independently according to the descriptions of attack tactics and techniques, taking into account your data sets.

The module includes the following functionalities:

Priority Selection

  • the module allows creating layers for each information system. Learn more about layer creation in the Layer Editor section.
  • configuring the criticality and coverage for each technique

Priority selection is performed using a Priority Matrix. Learn more about the priority matrix in the corresponding article: Priority Matrix

Coverage Assessment

  • the module provides an interface for assessing coverage for each technique
  • the interface allows visualizing the coverage of information systems and assets
  • the assessment helps determine which areas require additional attention

These capabilities are implemented via the Coverage Matrix. For more details, please refer to the corresponding article: Coverage Matrix.

Detection Monitoring

The module provides two types of alert monitoring: Action MITRE ATT&CK and Risk Action.

Detection Matrix

An interface that displays all alerts, grouped by techniques and information systems. It allows you to see the number of alerts for each technique. For more details, please refer to the corresponding article: Detection Matrix.

Dashboards

A visual representation of alert information. It enables tracking trends, identifying anomalies, and assessing the effectiveness of correlation rules.