Perform link analysis and threat hunting using MITRE-ATT&CK specific filters

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Correlate and perform link analysis of observables, security incidents, and MITRE-ATT&CK related information so that your organization can start hunting for threats.

    Before you begin

    Role required: sn_ti.mitre_analyst, sn_si.read

    About this task

    After you associate the security incidents with MITRE-ATT&CK information, you can use the MITRE-ATT&CK specific filters for threat hunting. Use the MITRE-ATT&CK filters with the existing Security Incident Response filters to correlate and perform link analysis.

    Procedure

    1. Navigate to All > Security Incidents > Show All Incidents.
    2. Click Update Personalized List to add the MITRE columns.
    3. Select a filter condition so that you can view MITRE related information and associations with security incidents or observables:
      • MITRE-ATT&CK Adversary Group
      • MITRE-ATT&CK Data Source
      • MITRE-ATT&CK Procedure (Malware)
      • MITRE-ATT&CK Procedure (Tools)
      • MITRE-ATT&CK Tactic
      • MITRE-ATT&CK Technique
    4. Create a filter condition that is based on the above criteria and click Run to perform a link analysis or correlation between security incidents, observables, and MITRE-ATT&CK related information.
      Note:
      The MITRE-ATT&CK data is stored as a string and you can only use contains as the operator for filter conditions.

      For example, if you want to review that a configuration item (CI) is compromised, you select a CI. You then correlate the CI with techniques that are present by adding a MITRE-ATT&CK Technique ID. You can then continue to build your filter criteria to correlate the information and for threat hunting.

      MITRE filter conditions for threat analysis.