Customize the Cyber Adversary Framework Mapping Application to map any custom rule in QRadar® to a MITRE
ATT&CK.
Before you begin
With 2.6.0, the QRadar Use
Case Manager is installed with QRadar Advisor with Watson™ and the QRadar Use
Case Manager version is updated to
2.3.1. The Use Case Manager includes MITRE ATT&CK mapping and visualization. You should follow
the instructions for the QRadar Use
Case Manager. For more information,
see QRadar Use Case Manager.
Attention: If you are using QRadar Advisor with Watson 2.5.3 or
earlier, then you can use the Cyber Adversary Framework Mapping Application app that is included
with QRadar Advisor with Watson.
Do not use both the QRadar Use
Case Manager
and the Cyber Adversary Framework Mapping Application at the same time or you will encounter out of
sync issues.
The following instructions apply to the Cyber Adversary Framework Mapping Application. You
must complete the steps for creating an authorized service token before you proceed. For more
information, see Configuring the Cyber Adversary Framework Mapping Application.
About this task
With the Cyber Adversary Framework Mapping Application, you can create your own rule mappings or
modify IBM default mappings to map your custom rules to
specific tactics and techniques. For example, if you see a rule that was triggered, you can map
certain tactics and techniques to that rule.
Note: The QRadar Advisor with Watson app and later
automatically maps MITRE ATT&CK tactics to CRE rules.
Procedure
-
On the
navigation menu ( ), click
Admin.
-
In QRadar 7.3.3 or
later, click .
-
To overwrite IBM default mappings, filter on the Rule
Name, Tactic, or Technique to find the rule you want to edit.
-
Click the Edit Mapping icon in the Actions column to customize the
confidence level, tactics, and techniques that are associated with the rule. The tactics,
techniques, and confidence are displayed in the QRadar Advisor with Watson relationship
graph.
- Click Map tactics and techniques to rule.
- Select the tactics you want to associate with the rule. To learn more about the
selected tactic, click the "More about..." link.
- Select associated techniques.
- Click Set Confidence.
- Optional: Change the confidence level for the tactic.
- Click Update Rule.
-
Add another rule mapping or click Save Mapping.
Note: Click the Remove Mapping icon in the Actions column to reset everything
back to the default.
-
Click Add Mapping to map more rules that are not listed in the default
list.
-
Select or search for a Group. All rules that are associated with a group as defined in your QRadar system are displayed.
Note: You might see an empty group due to the following reasons:
- Some groups might be empty because they are empty in your QRadar system.
- The rule that you want to select is already associated with the tactic.
-
Select a Rule name from the list that is associated with the selected
group. The tactics, techniques, and confidence are displayed in the QRadar Advisor with Watson relationship
graph.
- Click Map tactics and techniques to rule.
- Select the tactics you want to associate with the rule. To learn more about the
selected tactic, click the "More about..." link.
- Select associated techniques.
- Click Set Confidence.
- Optional: Change the confidence level for the tactic.
- Click Update Rule.
-
Click Save Mapping.
-
To remove all of your custom mappings and reset to the IBM default mappings, click Reset.