Customizing the Cyber Adversary Framework Mapping Application

Customize the Cyber Adversary Framework Mapping Application to map any custom rule in QRadar® to a MITRE ATT&CK.

Before you begin

With 2.6.0, the QRadar Use Case Manager is installed with QRadar Advisor with Watson™ and the QRadar Use Case Manager version is updated to 2.3.1. The Use Case Manager includes MITRE ATT&CK mapping and visualization. You should follow the instructions for the QRadar Use Case Manager. For more information, see QRadar Use Case Manager.
Attention: If you are using QRadar Advisor with Watson 2.5.3 or earlier, then you can use the Cyber Adversary Framework Mapping Application app that is included with QRadar Advisor with Watson. Do not use both the QRadar Use Case Manager and the Cyber Adversary Framework Mapping Application at the same time or you will encounter out of sync issues.

The following instructions apply to the Cyber Adversary Framework Mapping Application. You must complete the steps for creating an authorized service token before you proceed. For more information, see Configuring the Cyber Adversary Framework Mapping Application.

About this task

With the Cyber Adversary Framework Mapping Application, you can create your own rule mappings or modify IBM default mappings to map your custom rules to specific tactics and techniques. For example, if you see a rule that was triggered, you can map certain tactics and techniques to that rule.
Note: The QRadar Advisor with Watson app and later automatically maps MITRE ATT&CK tactics to CRE rules.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In QRadar 7.3.3 or later, click Apps > Cyber Adversary Framework Mapping Application > Configuration.
    Cyber Adversary Framework Mapping Application app
  3. To overwrite IBM default mappings, filter on the Rule Name, Tactic, or Technique to find the rule you want to edit.
  4. Click the Edit Mapping icon in the Actions column to customize the confidence level, tactics, and techniques that are associated with the rule. The tactics, techniques, and confidence are displayed in the QRadar Advisor with Watson relationship graph.
    1. Click Map tactics and techniques to rule.
    2. Select the tactics you want to associate with the rule. To learn more about the selected tactic, click the "More about..." link.
    3. Select associated techniques.
    4. Click Set Confidence.
    5. Optional: Change the confidence level for the tactic.
    6. Click Update Rule.
  5. Add another rule mapping or click Save Mapping.
    Edit Mapping
    Note: Click the Remove Mapping icon in the Actions column to reset everything back to the default.
  6. Click Add Mapping to map more rules that are not listed in the default list.
  7. Select or search for a Group. All rules that are associated with a group as defined in your QRadar system are displayed.
    Note: You might see an empty group due to the following reasons:
    • Some groups might be empty because they are empty in your QRadar system.
    • The rule that you want to select is already associated with the tactic.
  8. Select a Rule name from the list that is associated with the selected group. The tactics, techniques, and confidence are displayed in the QRadar Advisor with Watson relationship graph.
    1. Click Map tactics and techniques to rule.
    2. Select the tactics you want to associate with the rule. To learn more about the selected tactic, click the "More about..." link.
    3. Select associated techniques.
    4. Click Set Confidence.
    5. Optional: Change the confidence level for the tactic.
    6. Click Update Rule.
  9. Click Save Mapping.
    Add Mapping
  10. To remove all of your custom mappings and reset to the IBM default mappings, click Reset.

Example

MITRE ATT&CK Mapping