Rollup MITRE-ATT&CK information from detection rules
Enable rollup of MITRE-ATT&CK information from the detection rules to the security incidents for better security incident and threat analysis.
始める前に
Role required: none.
Ensure that you have performed the following:
- Enable the Rollup MITRE ATT&ACK information automatically from alert rules to security incidents property in the Properties module. By default, this option is disabled. For more information, see Review the MITRE-ATT&CK system properties.
- Perform mapping of detection rules to MITRE-ATT&CK TTPs in Detection Rules - MITRE ATT&CK TTP Mapping module. The detection rule name must match the alert rule name that triggers the security incident. For more information, see Create and map detection rules.
このタスクについて
If you do not intend to use the base system SIEM auto-extraction rules, then enable the automatic rollup of MITRE-ATT&CK TTPs based on the detection rule mapping. You can populate the alert or event rule that triggers the security incident in the Alert Rule name field. You can also populate the Alert Rule name field by using SIEM integration, email parsing, manual creation, and so on.
手順
-
Right-click the form, and click Save.
If the alert rule name value in the security incident matches a record in the Detection rule - MITRE ATT&CK TTP Mapping module, the corresponding techniques and tactics associated to the alert rule are linked to the security incident automatically.