Domain separation and MITRE-ATT&CK
This domain separation overview pertains to MITRE-ATT&CK. Domain separation allows you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.
Support level
Support: Basic.
How domain separation works with MITRE-ATT&CK
Follow these steps to achieve domain separation:
- Create a user with the required sn_ti.admin roles in the respective domain.
- Replicate the following for every domain:
- TAXII Collections
注:
- Do not activate the collections in the global domain. Activate only the collections that are replicated and available in your domain.
- Change the Run as field in the collections to the user with the sn_ti.admin role in the respective domain.
- Technique Coverage Definition
- Technique Extraction Rule
- Detection Rules – MITRE ATT&CK Mappings
- Mitigation Coverage
- Copy all the mitigation coverage definition records.
- Copy the mitigate coverage calculator or create a new calculator for the respective domain.
- Threat Group - Technique Heatmap Definitions
- TAXII Collections
Replicate TAXII Collection
- Navigate to .
- In the header bar, use the domain picker to select your domain.
- Select the TAXII collection that is relevant to your organization (Enterprise ATT&CK, Mobile ATT&CK, or ICS ATT&CK).
- Right-click in the header bar and select Insert and Stay. The duplicate TAXII collection is created under the selected domain
- Navigate back to the MITRE ATT&CK TAXII Profile to view the duplicate TAXII collection.
The following illustration shows how to select the domain TOP/Initech, replicate the TAXII collection in the domain, and verify the replicated TAXII collection.