Hi
Has anyone created a dashboard that highlights the mitre mapped tactics and techniques mapped use cases in the environment.?
Mitre map dashboard
+16- Community Manager
Hi @rahul7514 Thanks for your question. I've forwarded to product. Curious to hear what others have done. thanks
+9I think can put the MITRE info in the rule meta section like below, then create the dashboard based on the rule detection table
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "Remote Services: SMB/Windows Admin Shares"
mitre_attack_version = "v13.1"
+10- Bronze 2
I think can put the MITRE info in the rule meta section like below, then create the dashboard based on the rule detection table
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "Remote Services: SMB/Windows Admin Shares"
mitre_attack_version = "v13.1"
@hzmndt : yeah but what i was looking for is something that is visually appealing , which we do have in some other siem tools. We can call the meta section in dashboard but its appearance will be plain.
Example :https://splunkbase.splunk.com/app/5742 or
+13- Bronze 5
Hi @rahul7514,
In terms of doing this in-platform, this is something I looked into the feasibility of doing, but unfortunately there is not a way within the dashboard capabilities to query all rules, and you could only build a visualisation heard on rules that have generated an alert, as mentioned by @hzmndt
Therefore, the alternative solution that has been implemented has been using a CI/CD pipeline (which we used anyway), and whenever there is a modification to a rule, to run a job which runs through every rule, extracts a portion within the rule’s meta section (Such as MITREID) and then builds a ready to import navigator. - this standardisation of rules is strengthened by an initial “test” stage within our pipeline to ensure it matches a seperate conformity checker script.
Unfortunately, this may not be the news you may be looking for - however would be interesting to see how other people have approached this.
Kind Regards,
Ayman
+10- Bronze 2
Hi @rahul7514,
In terms of doing this in-platform, this is something I looked into the feasibility of doing, but unfortunately there is not a way within the dashboard capabilities to query all rules, and you could only build a visualisation heard on rules that have generated an alert, as mentioned by @hzmndt
Therefore, the alternative solution that has been implemented has been using a CI/CD pipeline (which we used anyway), and whenever there is a modification to a rule, to run a job which runs through every rule, extracts a portion within the rule’s meta section (Such as MITREID) and then builds a ready to import navigator. - this standardisation of rules is strengthened by an initial “test” stage within our pipeline to ensure it matches a seperate conformity checker script.
Unfortunately, this may not be the news you may be looking for - however would be interesting to see how other people have approached this.
Kind Regards,
Ayman
@AymanC / @matthewnichols Oh okay so its not possible currently. Is there any roadmap in future version to have it integrated
+16- Community Manager
@rahul7514 @AymanC Check out David French's blog, Securing Your CI/CD Pipeline: Eliminate Long-Lived Credentials with Workload Identity Federation (3)
MITRE is discussed and he provides a script for it but I am not sure if it will solve what you're looking for. Yes, it sounds like MITRE is on the roadmap for next year. I don't have any exact dates. But will update you and Community when I hear more.
+6@AymanC / @matthewnichols Oh okay so its not possible currently. Is there any roadmap in future version to have it integrated
I think what you were looking for is the MITRE attack coverage map that helps you understand which attack techniques you're prepared for and whether you have gaps in your defenses or not. The product team is currently looking into ways to address this piece of challenge, so stay tuned! 🙂
+6Hello @suzhuang ,
Hope you are doing well!
Any progressive update on the MITRE Dashboard ?
No major update so far, we should have a better news in Q2!
+6- Bronze 1
If I include mitre in my rule meta, can I surface that in a dashboard for now at least?
+10If I include mitre in my rule meta, can I surface that in a dashboard for now at least?
Something like this may work, but only for rules that have fired, as we're looking at detection data. Rule meta section would need "mitre_tag".
$ruleName = detection.detection.rule_name
$mitre = detection.detection.rule_labels["mitre_tag"]
match:
$ruleName
outcome:
$mitreTags = array_distinct($mitre)
order:
$ruleName asc
Curated detections have tags as well, you can reference those with detection.tags. So query would be something like:
$ruleName = detection.detection.rule_name
$mitre = detection.tags
match:
$ruleName
outcome:
$mitreTags = array_distinct($mitre)
order:
$ruleName asc
And resulting dashboard:
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.