Skip to main content
Question

mitre analysis for curated rules

  • October 30, 2025
  • 6 replies
  • 90 views
NASEEF
Forum|alt.badge.img+7

Hello Team,

We’re currently performing a MITRE ATT&CK analysis for the curated detections using the MITRE ATT&CK Matrix dashboard.

While the dashboard makes it easy to see how many rules exist per technique, identifying each rule’s corresponding rule name, rule set, and category is quite challenging — I have to review them individually. For techniques with a large number of rules, this becomes very time-consuming.

I’m focusing only on curated rules, and it seems that the Ruleset dashboard doesn’t support MITRE queries — the mapping appears to be available only in the rules field, which doesn’t seem to work for curated content.

Is there any way to generate a sheet like the example snippet below directly from the dashboard or through any other approach/tool?

Thanks in advance for your help!

@jstoner 

6 replies

NASEEF
Forum|alt.badge.img+7
  • NASEEFBronze 5
  • Author
  • Bronze 5
  • October 30, 2025

in short we are focusing on listing  rule name ,ruleset and rule category, per each technique

mrmiller
Staff
  • mrmiller
  • Staff
  • October 30, 2025

Hi Naseef, thanks for the great feedback.

Want to make sure you’re aware of something that may help:

If you click on a MITRE Technique, then in the list of “Curated rules”, click the “...” menu, you can click the button “Manage Rule” to go directly to the content hub for that rule so you can more easily enable it.

JonathanIBM
NASEEF
Forum|alt.badge.img+7
  • NASEEFBronze 5
  • Author
  • Bronze 5
  • October 30, 2025

Hello Miller, I’m aware of this, but the challenge is that, for example, the technique T1059 – Command and Scripting Interpreter has around 162 curated rules. If I want to identify the ruleset, rule category, and rule name for each of those, I have to manually open them one by one — which is quite a heavy and time-consuming task.

 

because there may be  n number of category ,ruleset associated to the same technique right

NASEEF
Forum|alt.badge.img+7
  • NASEEFBronze 5
  • Author
  • Bronze 5
  • October 30, 2025

We’re focusing on creating a detailed list similar to what’s displayed in the dashboard.
For example, for the technique T1059 – Command and Scripting Interpreter, I need to list:

  • All rule sets associated with this technique

  • All corresponding rule categories

  • A complete list of the 162 rules mapped to this technique

 

for this scenario i may need to open the rule one by one if on above method

gkush
Staff
Forum|alt.badge.img+5
  • gkush
  • Staff
  • November 3, 2025

Something that will help, not perfectly for your requirements but will help you focus on the rules you want matches for, is the new MITRE ATT&CK Matrix that was released to General Availability last week.  Here’s an example where I typed in “T1059” as a TTP search:
 

 

NASEEF
Forum|alt.badge.img+7
  • NASEEFBronze 5
  • Author
  • Bronze 5
  • November 6, 2025

Hello team,
I am using the method mentioned above; however, it’s quite difficult to go through each rule to get ruleset and rule category manually — especially for techniques that include as many as 162 rules. If any ready data is available, could you please help identify at least all the rulesets and rule categories for the techniques listed below?

T1027 Obfuscated Files or Information
T1003 OS Credential Dumping
T1036 Masquerading
T1036.005 Match Legitimate Resource Name or Location
T1047 Windows Management Instrumentation
T1053 Scheduled Task/Job
T1014 Rootkit
T1053.005 Scheduled Task
T1055 Process Injection
T1059 Command and Scripting Interpreter
T1078 Valid Accounts
T1078.004 Cloud Accounts
T1098 Account Manipulation
T1114 Email Collection
T1213 Data from Information Repositories
T1564 Hide Artifacts
T1566 Phishing

 

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.