MITRE ATT&CK® View

MITRE ATT&CK view provides Information Technology (IT) and Industrial Control Systems (ICS view summaries by selecting IT or ICS prior to the following available types of views.

Rule Coverage View

The Rule Coverage View provides an overview of the tactics and techniques that FortiSIEM covers as defined by MITRE Corporation. Go to INCIDENTS > MITRE ATT&CK® > [IT or ICS] > Rule Coverage to see this view. Rule Coverage can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Rule Coverage from the Incident Home drop-down list.

The ICS and IT Attack (Tactic Categories) are available.

ICS Attack (Tactic Categories) Table

The following table briefly describes the ICS attack (tactic) categories. See https://attack.mitre.org/tactics/ics/ for more detailed information.

Category (Tactic)

Description

Initial Access The adversary is trying to get into your network.
Execution The adversary is trying to run malicious code.
Persistence The adversary is trying to maintain their foothold.
Privilege Escalation The adversary is trying to gain higher-level permissions.
Evasion The adversary is trying to avoid security defenses.
Discovery The adversary is trying to figure out your environment.
Lateral Movement The adversary is trying to move through your environment.
Collection The adversary is trying to gather data of interest to their goal.
Command and Control The adversary is trying to communicate with compromised systems to control them.
Inhibit Response Function The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
Impair Process Control The adversary is trying to manipulate, disable, or damage physical control processes.
Impact The adversary is trying to manipulate, interrupt, or destroy your systems and data.

IT Attack (Tactic Categories) Table

The following table briefly describes the IT attack (tactic) categories. See https://attack.mitre.org/matrices/enterprise/ for more detailed information.

Category (Tactic)

Description

Reconnaissance The adversary is trying to gather information they can use to plan future operations.
Resource Development The adversary is trying to establish resources they can use to support operations.

Initial Access

The adversary is trying to get into your network.

Execution

The adversary is trying to run malicious code.

Persistence

The adversary is trying to maintain their foothold.

Privilege Escalation

The adversary is trying to gain higher-level permissions.

Defense Evasion

The adversary is trying to avoid being detected.

Credential Access

The adversary is trying to steal account names and passwords.

Discovery

The adversary is trying to figure out your environment.

Lateral Movement

The adversary is trying to move through your environment.

Collection

The adversary is trying to gather data of interest to their goal.

Command and Control

The adversary is trying to communicate with compromised systems to control them.

Exfiltration

The adversary is trying to steal data.

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Using the Rule Coverage View

To open the Rule Coverage View, go to INCIDENTS > MITRE ATT&CK® >[IT or ICS]Rule Coverage View. The top row displays the number of rules and the percentage of MITRE techniques that FortiSIEM covers. In the main row header, the bolded number that appears under each tactic indicates the number of rules that are covered under it. Clicking a tactic here will show all the rules that belong to it. Each tactic cell also lists the number of major techniques (Tech) and sub-techniques (Sub-Tech) related to the involved tactic. All major techniques related to a tactic are listed underneath their respective tactic column. Tactics and techniques covered by FortiSIEM rules are indicated by a light yellow background. You can hover your mouse cursor over any major technique to view the following information:

  • Total number of rules covered by the technique (security category)

  • The number of rules covered by each sub-technique (if applicable)

Left clicking on any technique will bring up a small menu, allowing you to select Detail or Show Rules.

Clicking on Detail will provide you with details about the major techniques and sub-techniques.

Clicking on Show Rules will display all the rules associated with the specific technique as provided in the following table:

Note: Clicking a tactic displays the rules information for all related techniques.

Note 2: Click the Columns drop-down list to select which headings you want to display.

Heading

Description

Status Provides information on whether a rule is enabled (checkmark), or is disabled ("X").
Name

The name of the rule is listed. You can left click on a rule to bring up the following selectable options:

  • Show in Resources > Rule - view/edit the selected rule on the Rules page.

  • Rule Summary - view the rule summary description.

Tactics The tactic involved with the rule is listed here.
Techniques The involved technique is listed here. You can click on the technique link to get detailed information from the attack.mitre.org site.
Description Detailed information about the technique is provided here.
Exceptions Any rule exceptions are listed here.

Searching Techniques in Rule Coverage View

A technique search field is available in the upper left corner. You can enter your query in the Search technique... field. Results are shown in real-time as you enter your query. A drop-down filter next to the Search technique... field is available. Your choices are:

  • Show All - all techniques are highlighted. The "Show All" text appears when Show Covered and Show Not Covered are both selected.

  • Show Covered - only techniques covered by FortiSIEM are displayed.

  • Show Not Covered - only techniques not covered by FortiSIEM are displayed.

Incident Coverage View

The Incident Coverage View provides an overview of the security incidents detected by FortiSIEM that fall under the tactics and techniques as defined by MITRE Corporation. Go to INCIDENTS > MITRE ATT&CK® >[IT or ICS] > Incident Coverage to see this view. Incident Coverage can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Incident Coverage from the Incident Home drop-down list.

The table in Rule Coverage View briefly describes the attack (tactic) categories also shown in Incident Coverage View.

Using the Incident Coverage View

To open the Incident Coverage View, go to INCIDENTS > MITRE ATT&CK® > [IT or ICS] > Incident Coverage View.The top row displays the number of incidents detected by FortiSIEM in the time range specified. In the main row header, the bolded number that appears under each tactic indicates the number of incidents associated with a specific tactic. Clicking a tactic will show all related detected incidents. Each tactic cell also lists the number of major techniques (Tech) and sub-techniques (Sub-Tech) related to the involved tactic/incidents. All major techniques related to a tactic are listed underneath their respective tactic column. Tactics and techniques covered by FortiSIEM rules are indicated by a light yellow background. You can hover your mouse cursor over any major technique to view the following information:

  • Total number of incidents triggered by this technique

  • The number of incidents triggered by each sub-technique (if applicable)

Left clicking on any technique will bring up a small menu, allowing you to select Detail or Show Incidents.

Clicking on Detail will provide you with details about the major technique and sub-techniques.

Clicking on Show Incidents will display all the incidents associated with the specific technique. It also provides the following Incident information:

Note: Click the Columns drop-down list to select which headings you want to display.

Heading

Description

Severity Category The severity/category of the incident is listed.
Last Occurred The date and time when the incident last occurred is listed.
Event Type The event type triggering the incident is displayed.
Incident

The event name of the incident is displayed. Clicking on it will bring up a drop-down list with the following options:

  • Show in Incident List View - displays the incident in Incident List View.

  • Rule Summary - displays the Rule Pattern Definitions that triggered the incident.

  • Triggering Events - displays the Event Details that triggered the event, including triggered event attributes.

Tactics The tactic involved with the rule is listed here.
Technique The involved technique is listed here. You can click on the technique link to get detailed information from the attack.mitre.org site.
Reporting The device that reported the incident is listed.
Source Source information from the triggered incident is listed. For example, the TCP/UDP Port involved with a protocol tunneling technique is provided.
Target The object targeted in the incident is listed. For example, the target user in a steal or forge kerberos tickets incident is listed.
Detail Additional information about the incident is provided here. For example, the command involved, service involved, or registry key is listed, if relevant.
Incident ID The incident ID is listed.

Searching Techniques in Incident Coverage View

A technique search field is available in the upper left corner. You can enter your query in the Search technique... field. Results are shown in real-time as you enter your query. A drop-down filter next to the Search technique... field is available. Your choices are:

  • Show All - all techniques are displayed. The "Show All" text appears when Show Triggered and Show Not Triggered are both selected.

  • Show Triggered - only techniques with triggered incidents are displayed.

  • Show Not Triggered - only techniques with no triggered incidents are displayed.

Filtering in Incident Coverage View

You can filter the incident data by attack category, whether the incident is active or cleared, and the time range when the incident occurred.

  • The Status drop-down list allows you to filter on Active and/or Cleared incidents.
  • The Time Range dialog box allows you to choose a relative or absolute time range. For relative times, enter a numerical value and then either Minutes, Hours, or Days from the drop-down list. For absolute times, use the calendar dialog to specify From and To dates.
  • For MSP deployments, the drop-down list allows you to filter incidents based on organizations.

MITRE ATT&CK Incident Explorer View

The MITRE ATT&CK Incident Explorer View maps security incidents detected by FortiSIEM into attack categories defined by MITRE Corporation (MITRE ATT&CK). Go to INCIDENTS > MITRE ATT&CK® > [IT or ICS] > Incident Explorer to see this view. The MITRE ATT&CK Incident Explorer can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Incident Explorer from the Incident Home drop-down list.

The table in Rule Coverage View briefly describes the attack (tactic) categories shown in MITRE ATT&CK Incident Explorer View.

Using the MITRE ATT&CK Incident Explorer View

To open the MITRE ATT&CK Incident Explorer View, go to INCIDENTS > MITRE ATT&CK® >[IT or ICS] > Incident Explorer. The table at the top of the MITRE ATT&CK Incident Explorer View displays the devices experiencing the security incidents and the MITRE ATT&CK categories into which the incidents fall. The circles in the table indicate:

  • Number - The number in the middle of the circle indicates the number of incidents in that category. Click the number to get more detail on the incidents. See Getting Detailed Information on an Incident.
  • Size - The size of the circle is relative to the number of incidents.
  • Color - The color of the circle indicates the severity of the incident: Red=HIGH severity, Yellow=MEDIUM severity, and Green=LOW severity.

Filtering in the MITRE ATT&CK Incident Explorer View

You can filter the incident data by attack category, whether the incident is active or cleared, and the time range when the incident occurred.

  • The Tactics drop–down list allows you to filter on one or more of the attack categories. You can also display All of the categories.
  • The Status drop-down list allows you to filter on Active and/or Cleared incidents.
  • The Time Range dialog box allows you to choose a relative or absolute time range. For relative times, enter a numerical value and then either Minutes, Hours, or Days from the drop-down list. For absolute times, use the calendar dialog to specify From and To dates.
  • For MSP deployments, the drop-down list allows you to filter incidents based on organizations.

Getting Detailed Information on an Incident

The lower pane of the MITRE ATT&CK Incident Explorer View provides a table with more detailed information about a security incident. You can populate the table in any of these ways:

  • Click a device to see all of the incidents associated with the device.
  • Open the Tactics drop-down list and choose one of the attack categories. All of the incidents associated with the selected category or categories are displayed. You can also choose to display All of the categories.
  • Click the number in the middle of the circle. All of the incidents associated with the selected device and category are displayed.

For more information on the column headings that appear in the lower pane of the Incident Explorer View, see Viewing Incidents.

Displaying Triggering Events for an Incident

Click an incident in the lower table to display its triggering events. Another pane opens below the Incident table. It displays information related to the event that triggered the incident, such as Host Name, Host IP, and so on.