Cyber Adversary Framework Mapping Application

With the Cyber Adversary Framework Mapping Application (included in Version 2.5.3 and earlier,) you can map your custom rules to MITRE ATT&CK tactics and techniques and override the IBM® default rule mappings.

With 2.6.0, the QRadar® Use Case Manager is installed with QRadar Advisor with Watson and the QRadar Use Case Manager version is updated to 2.3.1. The QRadar Use Case Manager includes MITRE ATT&CK mapping and visualization. For more information, see QRadar Use Case Manager.
Note: If you already have a version of QRadar Use Case Manager installed, it will either upgrade the app or do nothing if your current version is the same or newer.
Important: The QRadar Use Case Manager is only installed after you configure the Advisor app with an authorized service token. Creating authorized service tokens.
Attention: If you are using QRadar Advisor with Watson 2.5.3 or earlier, then you can use the Cyber Adversary Framework Mapping Application app that is included with QRadar Advisor with Watson. Do not use both the Use Case Manager and the Cyber Adversary Framework Mapping Application at the same time or you will encounter out of sync issues.

The QRadar Advisor with Watson app automatically maps MITRE ATT&CK tactics and techniques to CRE rules. The tactics are identified from IBM X-Force and Detect behavior (tactics rule behavior). In the QRadar Advisor with Watson app, you can see the tactics that are identified for an offense investigation, a search, and the offense details pane.

The following content pack contains techniques: IBM QRadar Content Extension for Sysmon . You must install the Sysmon content pack to add sysmon rules and you must also have sysmon log sources. When the Cyber Adversary Framework Mapping Application downloads its default mappings from the cloud, it will see that those rules are in QRadar and add them instead of discarding.

Note: The Cyber Adversary Framework Mapping Application and MITRE ATT&CK tactics and techniques are available in QRadar Advisor with Watson.

The MITRE ATT&CK framework represents adversary tactics that are used in a security attack. The following phases of an attack are represented:

MITRE ATT&CK Tactic Description
Initial Access Gains entry to your environment.
Execution Run malicious code.
Persistence Maintain foothold.
Privilege Escalation Gain higher-level permissions.
Defense Evasion Avoid detection.
Credential Access Steal login and password information.
Discovery Figure out your environment.
Lateral Movement Move through your environment.
Collection Gather data.
Exfiltration Steal data.
Command and Control Contact controlled systems.