Visualizing MITRE tactics and techniques that are detected in a specific timeframe
See which MITRE ATT&CK tactics and techniques were detected in your environment based on the offenses that were updated within a specific timeframe. QRadar® Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe, along with the tactics and techniques that are mapped to those rules.
Before you begin
About this task
On the Use Case Explorer page, click .
- Select a content template. If you don't select a template, the default template (ATT&CK tactics and techniques detected in offenses in the last 24 hours) is used.
- If you want to change the timeframe, in the Offenses filter, select a timeframe or a specific interval to filter the offenses.
- Select parameters to exclude offenses from the results, such as hidden or closed
offenses. Offenses that are marked for follow-up are flagged for further investigation. You might
have offenses that you want to retain regardless of the retention period; those offenses are
protected to prevent them from being removed from QRadar after the retention
period elapses. Inactive offenses are removed from visualization so that reports aren't
cluttered. Filter out the offenses that are closed. For example, you can exclude the rules that generated offenses that were closed as false positives. Rules with many false positives likely need tuning. Offenses that are closed as a non-issue are usually considered not critical to your organization. You might not want to include these offenses when you review the detected MITRE tactics and techniques.
- Filter offenses by the domain. A rule can work in the context of a
single domain or in the context of all domains. Use this option to filter the domains in a
multi-domain environment, such as an MSSP, by each individual domain. If there is more than one
domain in your environment (and they are added to Domain Management in the QRadar console), they appear in
the Domains filter list. Tip: To add a domain column to the rule report, click the gear icon. In the section of the Offenses filter, select Domain, and then click Apply.
- Select from the filters in the MITRE ATT&CK
section. The following options are available to filter:
- Select tactics from the list. For example, an Initial Access tactic is used by adversaries who are trying to get into your network.
- Search for techniques and their sub-techniques or select them from
the list. The techniques are pre-filtered to match the selected tactic. For example, an Account
Discovery technique occurs when adversaries attempt to get a list of your local system or domain
Sub-techniques are identified by a dot in the ID, such as "T1003.002 Security Account Manager". Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.
- Mapping confidence
- Indicates mappings that are assigned a specific level of confidence for rule coverage.
- Mapping enabled
- Indicates for each rule whether the mapping between the tactic or technique and rules is turned on. Mappings that are not enabled are not added to the technique coverage heat map.
- To update the rule report with your filters, click Apply
Filters. QRadar Use Case Manager displays a list of the offenses and their related rules that were found within that timeframe. If you click an offense to further investigate it, and the QRadar Analyst Workflow is installed on the QRadar Console, the offense opens in the workflow view. For more information, see QRadar Analyst Workflow (https://ibm.com/support/knowledgecenter/SS42VS_7.5/com.ibm.qradar.doc/c_analyst_wf_ui_overview.html).
- To change the labeling in the chart, click the Show option in the report menu bar and select from names, technique IDs, or technique names and IDs. By default, the technique names are displayed.
- Scroll through the heat map visualization to see the different techniques that are affected by those rules. The number in the chart header indicates the number of rules that are mapped per tactic. (This number might be larger than the sum of the number of mappings of its techniques because the mappings are done directly to the tactic, not to the technique.)
- To see the sub-techniques for a MITRE technique, click the expand icon to extend the column. Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.
- To see only the sub-techniques for each tactic and technique, click the stack icon ( ) in the report menu bar.
- To see which MITRE techniques are being used by adversary groups and software, select the appropriate filters from the Highlight groups and Highlight software lists. Relevant groups are highlighted in the heat map by pink sidebars, and relevant software are highlighted by purple sidebars.
- To see only the techniques that are selected in the filter,
hold the control key (on Windows) or the command key (on
Mac) of your keyboard and select the relevant techniques on the heat map. Then select the Show techniques in filter option in the report menu
bar. All other filters are hidden in the heat map. Tip: If you don't see any technique filters in the heat map, add techniques in the MITRE ATT&CK section of the filter panel or select techniques in the map.
- To change the platforms that are filtered in the
heat map, click Filter by platform and change the selection in your user
preferences. By default, the heat map shows tactics, techniques, and sub-techniques from the following platforms: Linux®, macOS, PRE, and Windows.
The Selected platforms filter tag in the filter bar is not selectable, but represents the selected MITRE ATT&CK platforms, and is added whenever the report includes ATT&CK-related filters or columns. To change the selected platforms, modify your user preferences. For more information, see Customizing user preferences.
- To work with tactics, techniques and sub-techniques from other platforms, click Filter by platform and change the selection in your user preferences. Changing the platform also affects the contents of MITRE filters on the Use Case Explorer page and MITRE ATT&CK Mappings edit page.
- To export the current display of the chart as a PNG
image, click the export icon (). Then, you can share the image with colleagues or executives who don't
have access to QRadar Use Case
Manager. Important: The export as an image capability is not supported on Mozilla Firefox. Use Google Chrome or Microsoft Edge browsers instead.
- To expand the visualization pane to the width of your screen, click
the maximize icon () on the menu bar of the pane. Zoom in or out to
see the visualization at the size you want. Any filtering that you apply in the expanded pane is
kept when you return to the Use Case Explorer page. Important: The zoom capability is not supported on Mozilla Firefox. Use the browser control to zoom in and out.