Supported metadata for MITRE ATT&CK matrix dashboard

Question

According to the documentation at https://docs.cloud.google.com/chronicle/docs/detection/mitre-dashboard:

For your custom rules to appear in the matrix and count toward threat coverage, you must map them to one or more MITRE ATT&CK techniques.
To do this, add a technique key to the rule's metadata section. The value must be a valid MITRE ATT&CK technique ID or multiple IDs as a comma-separated string.
Example: metadata: technique="T1548,T1134.001"

However, what I am observing is that some other formats of metadata appear to be correctly parsed, whereas others are not.

E.g. a rule with no technique key but this metadata:

mitre_attack_tactic = "Initial Access" mitre_attack_technique = "Phishing" mitre_attack_url = "https://attack.mitre.org/techniques/T1566/" mitre_attack_version = "v13.1"

appears to be correctly parsed and show up on the dashboard ✅

However, a rule with similar metadata:

mitre_attack_tactic = "TA0010" // Exfiltration mitre_attack_technique = "T1567" // Exfiltration Over Web Service

does not appear to be parsed and shown on the dashboard ❌

Can we get some clarity over what metadata keys are supported and what formats of value are accepted for them?

Ulab · Answer

The MITRE ATT&CK dashboard only reliably recognizes rules that include the metadata: technique="TXXXX" key with valid MITRE IDs. Other keys like mitre_attack_tactic or mitre_attack_technique might display sometimes, but they aren’t guaranteed to be parsed. To ensure your rules show up, always use the metadata: technique format with correct IDs.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded