MITRE ATT&CK® View
The following sections describe the three views that are available through the MITRE ATT&CK view:
Rule Coverage View
The Rule Coverage View provides an overview of the tactics and techniques that FortiSIEM covers as defined by MITRE Corporation. Go to INCIDENTS > MITRE ATT&CK® > Rule Coverage to see this view. Rule Coverage can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Rule Coverage from the Incident Home drop-down list.
The following table briefly describes the attack (tactic) categories. See https://attack.mitre.org/matrices/enterprise/ for more detailed information.
|
Category (Tactic) |
Description |
| Reconnaissance | The adversary is trying to gather information they can use to plan future operations. |
| Resource Development | The adversary is trying to establish resources they can use to support operations. |
|
Initial Access |
The adversary is trying to get into your network. |
|
Execution |
The adversary is trying to run malicious code. |
|
Persistence |
The adversary is trying to maintain their foothold. |
|
Privilege Escalation |
The adversary is trying to gain higher-level permissions. |
|
Defense Evasion |
The adversary is trying to avoid being detected. |
|
Credential Access |
The adversary is trying to steal account names and passwords. |
|
Discovery |
The adversary is trying to figure out your environment. |
|
Lateral Movement |
The adversary is trying to move through your environment. |
|
Collection |
The adversary is trying to gather data of interest to their goal. |
|
Command and Control |
The adversary is trying to communicate with compromised systems to control them. |
|
Exfiltration |
The adversary is trying to steal data. |
|
Impact |
The adversary is trying to manipulate, interrupt, or destroy your systems and data. |
Using the Rule Coverage View
To open the Rule Coverage View, go to INCIDENTS > MITRE ATT&CK® > Rule Coverage View. The top row displays the number of rules and the percentage of MITRE techniques that FortiSIEM covers. In the main row header, the bolded number that appears under each tactic indicates the number of rules that are covered under it. Clicking a tactic here will show all the rules that belong to it. Each tactic cell also lists the number of major techniques (Tech) and sub-techniques (Sub-Tech) related to the involved tactic. All major techniques related to a tactic are listed underneath their respective tactic column. Tactics and techniques covered by FortiSIEM rules are indicated by a light yellow background. You can hover your mouse cursor over any major technique to view the following information:
-
Total number of rules covered by the technique (security category)
-
The number of rules covered by each sub-technique (if applicable)
Left clicking on any technique will bring up a small menu, allowing you to select Detail or Show Rules.
Clicking on Detail will provide you with details about the major techniques and sub-techniques.
Clicking on Show Rules will display all the rules associated with the specific technique as provided in the following table:
Note: Clicking a tactic displays the rules information for all related techniques.
Note 2: Click the Columns drop-down list to select which headings you want to display.
|
Heading |
Description |
| Status | Provides information on whether a rule is enabled (checkmark), or is disabled ("X"). |
| Name |
The name of the rule is listed. You can left click on a rule to bring up the following selectable options:
|
| Tactics | The tactic involved with the rule is listed here. |
| Techniques | The involved technique is listed here. You can click on the technique link to get detailed information from the attack.mitre.org site. |
| Description | Detailed information about the technique is provided here. |
| Exceptions | Any rule exceptions are listed here. |
Searching Techniques in Rule Coverage View
A technique search field is available in the upper left corner. You can enter your query in the Search technique... field. Results are shown in real-time as you enter your query. A drop-down filter next to the Search technique... field is available. Your choices are:
-
Show All - all techniques are highlighted. The "Show All" text appears when Show Covered and Show Not Covered are both selected.
-
Show Covered - only techniques covered by FortiSIEM are displayed.
-
Show Not Covered - only techniques not covered by FortiSIEM are displayed.
Incident Coverage View
The Incident Coverage View provides an overview of the security incidents detected by FortiSIEM that fall under the tactics and techniques as defined by MITRE Corporation. Go to INCIDENTS > MITRE ATT&CK® > Incident Coverage to see this view. Incident Coverage can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Incident Coverage from the Incident Home drop-down list.
The table in Rule Coverage View briefly describes the attack (tactic) categories also shown in Incident Coverage View.
Using the Incident Coverage View
To open the Incident Coverage View, go to INCIDENTS > MITRE ATT&CK® > Incident Coverage View.The top row displays the number of incidents detected by FortiSIEM in the time range specified. In the main row header, the bolded number that appears under each tactic indicates the number of incidents associated with a specific tactic. Clicking a tactic will show all related detected incidents. Each tactic cell also lists the number of major techniques (Tech) and sub-techniques (Sub-Tech) related to the involved tactic/incidents. All major techniques related to a tactic are listed underneath their respective tactic column. Tactics and techniques covered by FortiSIEM rules are indicated by a light yellow background. You can hover your mouse cursor over any major technique to view the following information:
-
Total number of incidents triggered by this technique
-
The number of incidents triggered by each sub-technique (if applicable)
Left clicking on any technique will bring up a small menu, allowing you to select Detail or Show Incidents.
Clicking on Detail will provide you with details about the major technique and sub-techniques.
Clicking on Show Incidents will display all the incidents associated with the specific technique. It also provides the following Incident information:
Note: Click the Columns drop-down list to select which headings you want to display.
|
Heading |
Description |
| Severity Category | The severity/category of the incident is listed. |
| Last Occurred | The date and time when the incident last occurred is listed. |
| Event Type | The event type triggering the incident is displayed. |
| Event Name |
The event name of the incident is displayed. Clicking on it will bring up a drop-down list with the following options:
|
| Tactics | The tactic involved with the rule is listed here. |
| Technique | The involved technique is listed here. You can click on the technique link to get detailed information from the attack.mitre.org site. |
| Reporting | The device that reported the incident is listed. |
| Source | Source information from the triggered incident is listed. For example, the TCP/UDP Port involved with a protocol tunneling technique is provided. |
| Target | The object targeted in the incident is listed. For example, the target user in a steal or forge kerberos tickets incident is listed. |
| Detail | Additional information about the incident is provided here. For example, the command involved, service involved, or registry key is listed, if relevant. |
| Incident ID | The incident ID is listed. |
Searching Techniques in Incident Coverage View
A technique search field is available in the upper left corner. You can enter your query in the Search technique... field. Results are shown in real-time as you enter your query. A drop-down filter next to the Search technique... field is available. Your choices are:
-
Show All - all techniques are displayed. The "Show All" text appears when Show Triggered and Show Not Triggered are both selected.
-
Show Triggered - only techniques with triggered incidents are displayed.
-
Show Not Triggered - only techniques with no triggered incidents are displayed.
Filtering in Incident Coverage View
You can filter the incident data by attack category, whether the incident is active or cleared, and the time range when the incident occurred.
- The Status drop-down list allows you to filter on Active and/or Cleared incidents.
- The Time Range dialog box allows you to choose a relative or absolute time range. For relative times, enter a numerical value and then either Minutes, Hours, or Days from the drop-down list. For absolute times, use the calendar dialog to specify From and To dates.
- For MSP deployments, the
drop-down list allows you to filter incidents based on organizations.
MITRE ATT&CK Incident Explorer View
The MITRE ATT&CK Incident Explorer View maps security incidents detected by FortiSIEM into attack categories defined by MITRE Corporation (MITRE ATT&CK). Go to INCIDENTS > MITRE ATT&CK® > Incident Explorer to see this view. The MITRE ATT&CK Incident Explorer can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Incident Explorer from the Incident Home drop-down list.
The table in Rule Coverage View briefly describes the attack (tactic) categories shown in MITRE ATT&CK Incident Explorer View.
Using the MITRE ATT&CK Incident Explorer View
To open the MITRE ATT&CK Incident Explorer View, go to INCIDENTS > MITRE ATT&CK® > Incident Explorer. The table at the top of the MITRE ATT&CK Incident Explorer View displays the devices experiencing the security incidents and the MITRE ATT&CK categories into which the incidents fall. The circles in the table indicate:
- Number - The number in the middle of the circle indicates the number of incidents in that category. Click the number to get more detail on the incidents. See Getting Detailed Information on an Incident.
- Size - The size of the circle is relative to the number of incidents.
- Color - The color of the circle indicates the severity of the incident: Red=HIGH severity, Yellow=MEDIUM severity, and Green=LOW severity.
Filtering in the MITRE ATT&CK Incident Explorer View
You can filter the incident data by attack category, whether the incident is active or cleared, and the time range when the incident occurred.
- The Tactics drop–down list allows you to filter on one or more of the attack categories. You can also display All of the categories.
- The Status drop-down list allows you to filter on Active and/or Cleared incidents.
- The Time Range dialog box allows you to choose a relative or absolute time range. For relative times, enter a numerical value and then either Minutes, Hours, or Days from the drop-down list. For absolute times, use the calendar dialog to specify From and To dates.
- For MSP deployments, the drop-down list allows you to filter incidents based on organizations.
Getting Detailed Information on an Incident
The lower pane of the MITRE ATT&CK Incident Explorer View provides a table with more detailed information about a security incident. You can populate the table in any of these ways:
- Click a device to see all of the incidents associated with the device.
- Open the Tactics drop-down list and choose one of the attack categories. All of the incidents associated with the selected category or categories are displayed. You can also choose to display All of the categories.
- Click the number in the middle of the circle. All of the incidents associated with the selected device and category are displayed.
- Click an incident and all of the actions in the Action drop-down list that you can perform on the event become available. See Acting on Incidents.
For more information on the column headings that appear in the lower pane of the Incident Explorer View, see Viewing Incidents.
Displaying Triggering Events for an Incident
Click an incident in the lower table to display its triggering events. Another pane opens below the Incident table. It displays information related to the event that triggered the incident, such as Host Name, Host IP, and so on.
Copyright © 2024 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
