MITRE ATT&CK® View

MITRE ATT&CK view provides Information Technology (IT) and Industrial Control Systems (ICS view summaries by selecting IT or ICS prior to the following available types of views.

Rule Coverage View

The Rule Coverage View provides an overview of the tactics and techniques that FortiSIEM covers as defined by MITRE Corporation. Go to INCIDENTS > MITRE ATT&CK® > [IT or ICS] > Rule Coverage to see this view. Rule Coverage can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Rule Coverage from the Incident Home drop-down list.

The ICS and IT Attack (Tactic Categories) are available.

ICS Attack (Tactic Categories) Table

The following table briefly describes the ICS attack (tactic) categories. See https://attack.mitre.org/tactics/ics/ for more detailed information.

Category (Tactic)

Description
Initial Access ICS The adversary is trying to get into your network.
Execution ICS The adversary is trying to run malicious code.
Persistence ICS The adversary is trying to maintain their foothold.
Privilege Escalation ICS The adversary is trying to gain higher-level permissions.
Evasion ICS The adversary is trying to avoid security defenses.
Discovery ICS The adversary is trying to figure out your environment.
Lateral Movement ICS The adversary is trying to move through your environment.
Collection ICS The adversary is trying to gather data of interest to their goal.
Command and Control ICS The adversary is trying to communicate with compromised systems to control them.
Inhibit Response Function The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
Impair Process Control The adversary is trying to manipulate, disable, or damage physical control processes.
Impact ICS The adversary is trying to manipulate, interrupt, or destroy your systems and data.

IT Attack (Tactic Categories) Table

The following table briefly describes the IT attack (tactic) categories. See https://attack.mitre.org/matrices/enterprise/ for more detailed information.

Category (Tactic)

Description
Reconnaissance The adversary is trying to gather information they can use to plan future operations.
Resource Development The adversary is trying to establish resources they can use to support operations.

Initial Access

The adversary is trying to get into your network.

Execution

The adversary is trying to run malicious code.

Persistence

The adversary is trying to maintain their foothold.

Privilege Escalation

The adversary is trying to gain higher-level permissions.

Defense Evasion

The adversary is trying to avoid being detected.

Credential Access

The adversary is trying to steal account names and passwords.

Discovery

The adversary is trying to figure out your environment.

Lateral Movement

The adversary is trying to move through your environment.

Collection

The adversary is trying to gather data of interest to their goal.

Command and Control

The adversary is trying to communicate with compromised systems to control them.

Exfiltration

The adversary is trying to steal data.

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Using the Rule Coverage View

To open the Rule Coverage View, go to INCIDENTS > MITRE ATT&CK® >[IT or ICS]Rule Coverage View. The top row displays the number of rules and the percentage of MITRE techniques that FortiSIEM covers. In the main row header, the bolded number that appears under each tactic indicates the number of rules that are covered under it. Clicking a tactic here will show all the rules that belong to it. Each tactic cell also lists the number of major techniques (Tech) and sub-techniques (Sub-Tech) related to the involved tactic. All major techniques related to a tactic are listed underneath their respective tactic column. Tactics and techniques covered/not covered by FortiSIEM rules can be selected from the "Show All" drop-down list. You can hover your mouse cursor over any major technique to view the following information:

  • Total number of rules covered by the technique (security category)
  • The number of rules covered by each sub-technique (if applicable)

Left clicking on any technique will bring up a small menu, allowing you to select Detail or Show Rules.

Clicking on Detail will provide you with details about the major techniques and sub-techniques.

Clicking on Show Rules will display all the rules associated with the specific technique as provided in the following table:

Note: Clicking a tactic displays the rules information for all related techniques.

Note 2: Click the Columns drop-down list to select which headings you want to display.

Heading

Description
Status Provides information on whether a rule is enabled (checkmark), or is disabled ("X").
Name

The name of the rule is listed. You can left click on a rule to bring up the following selectable options:

  • Show in Resources > Rule - view/edit the selected rule on the Rules page.
  • Rule Summary - view the rule summary description.
Tactics The tactic involved with the rule is listed here.
Techniques The involved technique is listed here. You can click on the technique link to get detailed information from the attack.mitre.org site.
Description Detailed information about the Rule is provided here.
Exceptions Any rule exceptions are listed here.

Searching Techniques in Rule Coverage View

A technique search field is available in the upper left corner. You can enter your query in the Search technique... field. Results are shown in real-time as you enter your query. A drop-down filter next to the Search technique... field is available. Your choices are:

  • Show All - all techniques are highlighted. The "Show All" text appears when Show Covered and Show Not Covered are both selected.
  • Show Covered - only techniques covered by FortiSIEM are displayed.
  • Show Not Covered - only techniques not covered by FortiSIEM are displayed.

Incident Coverage View

The Incident Coverage View provides an overview of the security incidents detected by FortiSIEM that fall under the tactics and techniques as defined by MITRE Corporation. Go to INCIDENTS > MITRE ATT&CK® >[IT or ICS] > Incident Coverage to see this view. Incident Coverage can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Incident Coverage from the Incident Home drop-down list.

The table in Rule Coverage View briefly describes the attack (tactic) categories also shown in Incident Coverage View.

Using the Incident Coverage View

To open the Incident Coverage View, go to INCIDENTS > MITRE ATT&CK® > [IT or ICS] > Incident Coverage View.The top row displays the number of incidents detected by FortiSIEM in the time range specified. In the main row header, the bolded number that appears under each tactic indicates the number of incidents associated with a specific tactic. Clicking a tactic will show all related detected incidents. Each tactic cell also lists the number of major techniques (Tech) and sub-techniques (Sub-Tech) related to the involved tactic/incidents. All major techniques related to a tactic are listed underneath their respective tactic column. Tactics and techniques covered/not covered by FortiSIEM rules can be selected from the "Show All" drop-down list.. You can hover your mouse cursor over any major technique to view the following information:

  • Total number of incidents triggered by this technique
  • The number of incidents triggered by each sub-technique (if applicable)

Left clicking on any technique will bring up a small menu, allowing you to select Detail or Show Incidents.

Clicking on Detail will provide you with details about the major technique and sub-techniques.

Clicking on Show Incidents will display all the incidents associated with the specific technique. It also provides the following Incident information:

Note: Click the Columns drop-down list to select which headings you want to display.

Heading

Description
Severity Category The severity/category of the incident is listed.
Last Occurred The date and time when the incident last occurred is listed.
Incident

The event name of the incident is displayed. Clicking on it will bring up a drop-down list with the following options:

  • Add to Filter - Click to add to filtered list.
  • Create Case - Create a case with the incident. See here for more information.
  • Add to Case... - Add incident to an existing case. See here for more information.
  • Remediate Incident - Run a remediation on the incident. See here for more information.
  • Rule Summary - displays the Rule Pattern Definitions that triggered the incident.
  • Triggering Events - displays the Event Details that triggered the event, including triggered event attributes.
  • Investigate - takes you to Analytics > Investigation with the incident.
Tactics The tactic involved with the rule is listed here.
Technique The involved technique is listed here. You can click on the technique link to get detailed information from the attack.mitre.org site.
Target The object targeted in the incident is listed. For example, the target user in a steal or forge kerberos tickets incident is listed.
Detail Additional information about the incident is provided here. For example, the command involved, service involved, or registry key is listed, if relevant.
Incident ID The incident ID is listed.
Reporting The device that reported the incident is listed.
Source Source information from the triggered incident is listed. For example, the TCP/UDP Port involved with a protocol tunneling technique is provided.
Incident Status

An incident's status can be one of the following:

  • Active: An ongoing incident.

  • Manually Cleared: Cleared manually by a user - the incident is no longer active.

  • Auto Cleared: Automatically cleared by the system when the rule clearing condition is met. Rule clearance logic can be set in the rule definition.
  • System Cleared: Cleared by the system. All non-security related incidents are cleared from the system every night at midnight local time, and will show a status of System Cleared.

  • Externally Cleared: Cleared in the external ticketing system.
Resolution The resolution for an incident can be:
  • Open (not defined or not known whether the incident is True Positive or False Positive)
  • True Positive, or
  • False Positive

When an Incident Status is Active, Incident Resolution is Open. When an Incident is Cleared, then the user can set the Incident Resolution to be True Positive or False Positive. If you are changing the Incident Resolution to be True Positive or False Positive, then you must Clear the Incident.
First Occurred The first time that the incident was triggered.
Event Type The event type triggering the incident is displayed.
Reporting IP IP addresses of the devices reporting the incident.
Case Status
 Current status of the case associated with the incident.

Case User

The user assigned to a case related to the incident.
Case ID The Case ID for the case associated with the incident. Click the Case ID link to go to the Cases page for the selected case.
Incident Comments Comments from Incidents Comments/Root Incident Comments.
Organization The organization where case was created.

Biz Service

Name of the business services affected by this incident

Notification Status

Incident Notification Status

Notification Recipients

Incident Notification recipients

Cleared Reason

Reason for clearing the incident if it was cleared.

Cleared Time

Time at which the incident was cleared.

Cleared User

User who cleared the incident.

Count

Number of times the incident triggered between the first and last seen times

External User

External user assigned to a ticket in an external ticketing system.

External Cleared Time

Time when the incident was resolved in an external ticketing system.

External Ticket ID

ID of a ticket in an external ticketing system such as ServiceNow, ConnectWise, etc.

External Ticket State

State of a ticket in an external ticketing system.
View Status Whether the Incident has been Read or Not.
Reporting Device Status Status of the device: Approved or Pending. You must approve devices for the incidents to trigger, but they will still be monitored.
Category The category of the triggered incident. Categories are Availability, Performance, Change, Security and Other.
Subcategory Subcategory of the triggered incident. To add custom subcategories to an incident category, see here.
Incident Title A system default title or a user-defined title for an incident.

Tag

Name of the tag involved with the rule that triggered the incident.

Instance Org

Name of instance organization.

Confidence

The confidence level of a threat.

Searching Techniques in Incident Coverage View

A technique search field is available in the upper left corner. You can enter your query in the Search technique... field. Results are shown in real-time as you enter your query. A drop-down filter next to the Search technique... field is available. Your choices are:

  • Show All - all techniques are displayed. The "Show All" text appears when Show Triggered and Show Not Triggered are both selected.
  • Show Triggered - only techniques with triggered incidents are displayed.
  • Show Not Triggered - only techniques with no triggered incidents are displayed.

Filtering in Incident Coverage View

You can filter the incident data, whether the incident is active or cleared, and the time range when the incident occurred.

  • The Status drop-down list allows you to filter on Active and/or Cleared incidents.
  • The Time Range dialog box allows you to choose a relative or absolute time range. For relative times, enter a numerical value and then either Minutes, Hours, or Days from the drop-down list. For absolute times, use the calendar dialog to specify From and To dates.
  • For MSP deployments, the drop-down list allows you to filter incidents based on organizations.

MITRE ATT&CK Incident Explorer View

The MITRE ATT&CK Incident Explorer View maps security incidents detected by FortiSIEM into attack categories defined by MITRE Corporation (MITRE ATT&CK). Go to INCIDENTS > MITRE ATT&CK® > [IT or ICS] > Incident Explorer to see this view. The MITRE ATT&CK Incident Explorer can be set as the default view by selecting User Profile > UI Settings then choosing Incidents from the Home drop-down list and MITRE ATT&CK - Incident Explorer from the Incident Home drop-down list.

The table in Rule Coverage View briefly describes the attack (tactic) categories shown in MITRE ATT&CK Incident Explorer View.

Using the MITRE ATT&CK Incident Explorer View

To open the MITRE ATT&CK Incident Explorer View, go to INCIDENTS > MITRE ATT&CK® >[IT or ICS] > Incident Explorer. The table at the top of the MITRE ATT&CK Incident Explorer View displays the devices experiencing the security incidents and the MITRE ATT&CK categories into which the incidents fall. The circles in the table indicate:

  • Number - The number in the middle of the circle indicates the number of incidents in that category. Click the number to get more detail on the incidents. See Getting Detailed Information on an Incident.
  • Size - The size of the circle is relative to the number of incidents.
  • Color - The color of the circle indicates the severity of the incident: Red=HIGH severity, Orange=MEDIUM severity, and Green=LOW severity.

Filtering in the MITRE ATT&CK Incident Explorer View

You can filter the incident data, whether the incident is active or cleared, and the time range when the incident occurred.

  • The Tactics drop–down list allows you to filter on one or more of the attack categories. You can also display All of the categories.
  • The Status drop-down list allows you to filter on Active and/or Cleared incidents.
  • The Time Range dialog box allows you to choose a relative or absolute time range. For relative times, enter a numerical value and then either Minutes, Hours, or Days from the drop-down list. For absolute times, use the calendar dialog to specify From and To dates.
  • For MSP deployments, the drop-down list allows you to filter incidents based on organizations.

Getting Detailed Information on an Incident

The lower pane of the MITRE ATT&CK Incident Explorer View provides a table with more detailed information about a security incident. You can populate the table in any of these ways:

  • Click a device to see all of the incidents associated with the device.
  • Open the Tactics drop-down list and choose one of the attack categories. All of the incidents associated with the selected category or categories are displayed. You can also choose to display All of the categories.
  • Click the number in the middle of the circle. All of the incidents associated with the selected device and category are displayed.

For more information on the column headings that appear in the lower pane of the Incident Explorer View, see Viewing Incidents.

Displaying Triggering Events for an Incident

Select Incident Details from the caret drop-down next to Event Name and select Trigger Events icon to display information related to the event that triggered the incident, such as Host Name, Host IP, and so on.