See which MITRE ATT&CK tactics and techniques were detected in your environment based
on the offenses that were updated within a specific timeframe. QRadar® Use Case
Manager displays a list of the
offenses and their related rules that were found within that timeframe, along with the tactics and
techniques that are mapped to those rules.
About this task
The more filters that you apply to the rules, the more fine-tuned
the list of results you get. QRadar Use Case
Manager uses the OR condition
within the options of one filter group, and uses the AND condition across multiple groups of
filters. Any column that you can filter on can also be added to the rule report through the column
selection feature (gear icon).
Procedure
-
On the Use Case Explorer page, click .
- Select a content template.
If you don't select a template, the default
template (ATT&CK tactics and techniques detected in offenses in the last 24
hours) is used.
- If you want to change the timeframe, in the Offenses filter,
select a timeframe or a specific interval to filter the offenses.
- Select parameters to exclude offenses from the results, such as hidden or closed
offenses. Offenses that are marked for follow-up are flagged for further investigation. You might
have offenses that you want to retain regardless of the retention period; those offenses are
protected to prevent them from being removed from QRadar after the retention
period elapses. Inactive offenses are removed from visualization so that reports aren't
cluttered.
Filter out the offenses that are closed. For
example, you can exclude the rules that generated offenses that were closed as false positives.
Rules with many false positives likely need tuning. Offenses that are closed as a non-issue are
usually considered not critical to your organization. You might not want to include these offenses
when you review the detected MITRE tactics and techniques.
- Filter offenses by the domain. A rule can work in the context of a
single domain or in the context of all domains. Use this option to filter the domains in a
multi-domain environment, such as an MSSP, by each individual domain. If there is more than one
domain in your environment (and they are added to Domain Management in the QRadar console), they appear in
the Domains filter list.
Tip: To add a domain column to the rule report, click the gear icon. In the section of
the Offenses filter, select Domain, and then click
Apply.
- Select from the filters in the MITRE ATT&CK
section. The following options are available to filter:
- Tactics
- Select tactics from the list. For example, an Initial Access tactic is used by adversaries who
are trying to get into your network.
- Technique
- Search for techniques and their sub-techniques or select them from
the list. The techniques are pre-filtered to match the selected tactic. For example, an Account
Discovery technique occurs when adversaries attempt to get a list of your local system or domain
accounts.
Sub-techniques are identified by a dot in
the ID, such as "T1003.002 Security Account Manager". Sub-techniques provide a more specific description of the behavior an
adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing
the Local Security Authority (LSA) Secrets.
- Mapping confidence
- Indicates mappings that are assigned a specific level of confidence for rule coverage.
- Mapping enabled
- Indicates for each rule whether the mapping between the tactic or technique and rules is turned
on. Mappings that are not enabled are not added to the technique coverage heat map.
- To update the rule report with your filters, click Apply
Filters.
QRadar Use Case
Manager displays a list of the
offenses and their related rules that were found within that timeframe. If you click an offense to
further investigate it, and the
QRadar Analyst Workflow is
installed on the
QRadar
Console, the offense opens in the workflow view. For more information, see
QRadar Analyst Workflow
(https://ibm.com/support/knowledgecenter/SS42VS_7.5/com.ibm.qradar.doc/c_analyst_wf_ui_overview.html).
- To change the labeling in the chart, click the
Show option in the report menu bar and select from names, technique IDs, or
technique names and IDs. By default, the technique names are displayed.
- Scroll through the heat map visualization to see the different techniques that are
affected by those rules. The number in the chart header indicates the number of
rules that are mapped per tactic. (This number might be larger than the sum of the number of
mappings of its techniques because the mappings are done directly to the tactic, not to the
technique.)
- To see the sub-techniques for a MITRE technique, click the expand
icon to extend the column. Sub-techniques provide a more specific description of the behavior an
adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing
the Local Security Authority (LSA) Secrets.
- To see only the sub-techniques for each
tactic and technique, click the stack icon (
) in the report menu bar.
- To see which MITRE techniques are being used by adversary groups and software, select the
appropriate filters from the Highlight groups and Highlight
software lists. Relevant groups are highlighted in the heat map by pink sidebars, and
relevant software are highlighted by purple sidebars.
- To see only the techniques that are selected in the filter,
hold the control key (on Windows) or the command key (on
Mac) of your keyboard and select the relevant techniques on the heat map. Then select the Show techniques in filter option in the report menu
bar. All other filters are hidden in the heat map.
Tip: If you don't see any technique filters in the heat map, add techniques in the
MITRE ATT&CK section of the filter panel or select techniques in the
map.
- To change the platforms that are filtered in the
heat map, click Filter by platform and change the selection in your user
preferences.
By default, the heat map shows tactics, techniques, and
sub-techniques from the following platforms: Linux®, macOS,
PRE, and Windows.
The Selected platforms filter tag in the
filter bar is not selectable, but represents the selected MITRE ATT&CK platforms, and is added
whenever the report includes ATT&CK-related filters or columns. To change the selected
platforms, modify your user preferences. For more information, see Customizing user preferences.
- To work with tactics, techniques and sub-techniques from other platforms, click
Filter by platform and change the selection in your user preferences.
Changing the platform also affects the contents of MITRE filters on the Use Case
Explorer page and MITRE ATT&CK Mappings edit
page.
- To export the current display of the chart as a PNG
image, click the export icon (
). Then, you can share the image with colleagues or executives who don't
have access to QRadar Use Case
Manager.
Important: The export as an image capability is not supported on Mozilla Firefox. Use
Google Chrome or Microsoft Edge browsers instead.
- To expand the visualization pane to the width of your screen, click
the maximize icon (
) on the menu bar of the pane. Zoom in or out to
see the visualization at the size you want. Any filtering that you apply in the expanded pane is
kept when you return to the Use Case Explorer page.
Important: The zoom capability is not supported on Mozilla Firefox. Use the browser
control to zoom in and out.