Editing MITRE mappings in multiple rules or building blocks

Save time and effort by editing multiple rules or building blocks at the same time. Export your mappings to a JSON file to share with other colleagues.


  1. On the Use Case Explorer page, click the Toggle table view icon to ungroup the report's table columns.
    Tip: Filter on the rule name, tactic, or technique to find the rule you want to edit or search by using a regular expression. If you're searching for text in parentheses, use the backward slash in the regular expression. For example, Multiple Login Failures from the Same Source \(Windows)\.
    Image that shows backward slash in regex for search

    You can also use the Group filter to select the group you want to search, such as authentication or compliance.

  2. Click the pencil icon in the report table to display checkboxes for each table row.
  3. Select the relevant rules or building blocks that you want to edit, and then click Edit MITRE mappings.
  4. On the MITRE ATT&CK Mapping page, customize rule-mapping options by either adding new tactics or editing existing ones.
    Tip: The MITRE ATT&CK Mapping page shows only the mappings that are directly related to a rule. You can see mappings that the rule inherited from its dependencies in the rule details section of the Investigate rules page or in the Use Case Explorer report. Use the Mapping source column in the report, or in the MITRE ATT&CK section of the rule details page, to see the relationships between the rules and their mappings. Or, if you create content extensions for the IBM® Security App Exchange, and you want to map rules in them, export the mappings and upload them when you submit your content.
    1. To add or remove tactics with the rule or building block, click the plus sign icon, select the relevant tactics, and then click Apply.
    2. To add or remove techniques for a tactic, click the plus sign icon for the tactic, select the relevant techniques, and then click Apply.
    3. To add or remove sub-techniques for a technique, click the plus sign icon for the technique, select the relevant sub-techniques, and then click Apply.
      Sub-techniques are identified by a dot in the ID, such as "T1003.002 Security Account Manager".
    4. Select the confidence level for each tactic and click Save. You must set a confidence level; otherwise, you can't save the mapping.
    5. To include the rule in the heat map calculation, keep the Enable checkboxes that are selected for the tactic and technique.
    6. To reset tactics or techniques that were customized in IBM default mappings, click the Reset in the Tactics column.
  5. To export a JSON file of the mappings in the MITRE ATT&CK Mapping page to share with others, click Save > Export mappings.
  6. After you finish your mappings, click Save and close.
  7. To refresh the report to see updated content, click Apply in the Filters pane.