Visualizing MITRE tactics and techniques that are detected in a specific timeframe

See which MITRE ATT&CK tactics and techniques were detected in your environment based on the offenses that were updated within a specific timeframe. QRadar® Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe, along with the tactics and techniques that are mapped to those rules.

Before you begin

If you want to filter by MITRE ATT&CK tactics, you must first map your rules to MITRE tactics and techniques. For more information, see Editing MITRE mappings in a rule or building block.

About this task

The more filters that you apply to the rules, the more fine-tuned the list of results you get. QRadar Use Case Manager uses the OR condition within the options of one filter group, and uses the AND condition across multiple groups of filters. Any column that you can filter on can also be added to the rule report through the column selection feature (gear icon).

Procedure

  1. On the Use Case Explorer page, click ATT&CK Actions > Detected in timeframe.
    Heat map that shows tactics and techniques that were detected in a specific time period.
  2. Select a content template.
    If you don't select a template, the default template (ATT&CK tactics and techniques detected in offenses in the last 24 hours) is used.
  3. If you want to change the timeframe, in the Offenses filter, select a timeframe or a specific interval to filter the offenses.
  4. Select parameters to exclude offenses from the results, such as hidden or closed offenses. Offenses that are marked for follow-up are flagged for further investigation. You might have offenses that you want to retain regardless of the retention period; those offenses are protected to prevent them from being removed from QRadar after the retention period elapses. Inactive offenses are removed from visualization so that reports aren't cluttered.
    Filter out the offenses that are closed. For example, you can exclude the rules that generated offenses that were closed as false positives. Rules with many false positives likely need tuning. Offenses that are closed as a non-issue are usually considered not critical to your organization. You might not want to include these offenses when you review the detected MITRE tactics and techniques.
  5. Filter offenses by the domain. A rule can work in the context of a single domain or in the context of all domains. Use this option to filter the domains in a multi-domain environment, such as an MSSP, by each individual domain. If there is more than one domain in your environment (and they are added to Domain Management in the QRadar console), they appear in the Domains filter list.
    Tip: To add a domain column to the rule report, click the gear icon. In the section of the Offenses filter, select Domain, and then click Apply.
  6. Select from the filters in the MITRE ATT&CK section. The following options are available to filter:
    Tactics
    Select tactics from the list. For example, an Initial Access tactic is used by adversaries who are trying to get into your network.
    Technique
    Search for techniques and their sub-techniques or select them from the list. The techniques are pre-filtered to match the selected tactic. For example, an Account Discovery technique occurs when adversaries attempt to get a list of your local system or domain accounts.

    Sub-techniques are identified by a dot in the ID, such as "T1003.002 Security Account Manager". Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.

    Mapping confidence
    Indicates mappings that are assigned a specific level of confidence for rule coverage.
    Mapping enabled
    Indicates for each rule whether the mapping between the tactic or technique and rules is turned on. Mappings that are not enabled are not added to the technique coverage heat map.
  7. To update the rule report with your filters, click Apply Filters.
    QRadar Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe. If you click an offense to further investigate it, and the QRadar Analyst Workflow is installed on the QRadar Console, the offense opens in the workflow view. For more information, see QRadar Analyst Workflow (https://ibm.com/support/knowledgecenter/SS42VS_7.5/com.ibm.qradar.doc/c_analyst_wf_ui_overview.html).
  8. To change the labeling in the chart, click the Show option in the report menu bar and select from names, technique IDs, or technique names and IDs. By default, the technique names are displayed.
  9. Scroll through the heat map visualization to see the different techniques that are affected by those rules. The number in the chart header indicates the number of rules that are mapped per tactic. (This number might be larger than the sum of the number of mappings of its techniques because the mappings are done directly to the tactic, not to the technique.)
  10. To see the sub-techniques for a MITRE technique, click the expand icon to extend the column. Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.
  11. To see only the sub-techniques for each tactic and technique, click the stack icon ( Show or hide sub-techniques) in the report menu bar.
  12. To see which MITRE techniques are being used by adversary groups and software, select the appropriate filters from the Highlight groups and Highlight software lists. Relevant groups are highlighted in the heat map by pink sidebars, and relevant software are highlighted by purple sidebars.
  13. To see only the techniques that are selected in the filter, hold the control key (on Windows) or the command key (on Mac) of your keyboard and select the relevant techniques on the heat map. Then select the Show techniques in filter option in the report menu bar. All other filters are hidden in the heat map.
    Tip: If you don't see any technique filters in the heat map, add techniques in the MITRE ATT&CK section of the filter panel or select techniques in the map.
  14. To change the platforms that are filtered in the heat map, click Filter by platform and change the selection in your user preferences.
    By default, the heat map shows tactics, techniques, and sub-techniques from the following platforms: Linux®, macOS, PRE, and Windows.

    The Selected platforms filter tag in the filter bar is not selectable, but represents the selected MITRE ATT&CK platforms, and is added whenever the report includes ATT&CK-related filters or columns. To change the selected platforms, modify your user preferences. For more information, see Customizing user preferences.

  15. To work with tactics, techniques and sub-techniques from other platforms, click Filter by platform and change the selection in your user preferences. Changing the platform also affects the contents of MITRE filters on the Use Case Explorer page and MITRE ATT&CK Mappings edit page.
  16. To export the current display of the chart as a PNG image, click the export icon (Down arrow export icon). Then, you can share the image with colleagues or executives who don't have access to QRadar Use Case Manager.
  17. To expand the visualization pane to the width of your screen, click the maximize icon (Maximize icon to expand pane to full view) on the menu bar of the pane. Zoom in or out to see the visualization at the size you want. Any filtering that you apply in the expanded pane is kept when you return to the Use Case Explorer page.
    Important: The zoom capability is not supported on Mozilla Firefox. Use the browser control to zoom in and out.

What to do next

Visualizing MITRE tactic and technique coverage in your environment or Visualizing MITRE coverage summary and trends