Cyber Adversary Framework Mapping Application
With the Cyber Adversary Framework Mapping Application (included in Version 2.5.3 and earlier,) you can map your custom rules to MITRE ATT&CK tactics and techniques and override the IBM® default rule mappings.
The QRadar Advisor with Watson app automatically maps MITRE ATT&CK tactics and techniques to CRE rules. The tactics are identified from IBM X-Force and Detect behavior (tactics rule behavior). In the QRadar Advisor with Watson app, you can see the tactics that are identified for an offense investigation, a search, and the offense details pane.
The following content pack contains techniques: IBM QRadar Content Extension for Sysmon . You must install the Sysmon content pack to add sysmon rules and you must also have sysmon log sources. When the Cyber Adversary Framework Mapping Application downloads its default mappings from the cloud, it will see that those rules are in QRadar and add them instead of discarding.
The MITRE ATT&CK framework represents adversary tactics that are used in a security attack. The following phases of an attack are represented:
|MITRE ATT&CK Tactic||Description|
|Initial Access||Gains entry to your environment.|
|Execution||Run malicious code.|
|Privilege Escalation||Gain higher-level permissions.|
|Defense Evasion||Avoid detection.|
|Credential Access||Steal login and password information.|
|Discovery||Figure out your environment.|
|Lateral Movement||Move through your environment.|
|Command and Control||Contact controlled systems.|