MITRE ATT&CK® displays all the various techniques that fall under each tactic. The list of all the workbooks with adversaries under each technique are displayed, indicating the techniques an attacker may have taken. You can easily visualize the security breaches within the organization and ways to mitigate them.
- Click MITRE ATT&CK® icon on the left navigation panel of the DNIF console.
- The different colors in the techniques indicate the following
Indication Description Green Vertical Bar in Technique Data & Workbook both exists
Indicates the data required for that Technique to get detected is available and also the Detection rule exists in the form of Workbook.
Blue Vertical Bar in Technique
No Data but Workbook exists
Indicates the data required for that Technique to get detected is not available, however the Detection rule exists in the form of Workbook.
Note: A blue technique turns Green as soon as the Logs are made available by integrating appropriate log sources.
Gray Vertical Bar in Technique No workbook and no data exists
Indicates absence of both Data as well as workbook for a Technique.
- You can toggle between Show active link on the right corner of the screen to view only active workbooks.
- The Search icon will help you to search for any specific techniques.
- Click the count block to view the workbooks, it will list down the workbook names.
- Click the workbook that you want to investigate. It will help you to trace the attack points through the signals raised.
The workbook will open in edit mode / view mode as per the role assigned.
- Even inside the Green Tactic, Technique and Procedure, the workbooks must be in Streamed or Scheduled mode in order to trigger detection. If the Streamed or Scheduled mode of workbook is ‘Off’, it will not trigger detection even if data is available.
- DNIF provides large number of workbooks as its out-of-the-box content, however these workbooks need careful tweaking at your end. Failing to do so may result into lots of false positives and noise.