Application: MITRE ATT&CK Adviser
- Borja Moro Moreno
- Sarah Bigault (Deactivated)
Purpose
The MITRE ATT&CK(™) Adviser application is a tool that enables Security teams to understand their Devo domain’s alerts and log sources in the context of the MITRE ATT&CK(™) framework.
For alert coverage, the application reads all the Security Operations out-of-the-box alerts, custom alerts, and installed alerts and maps them to the ATT&CK matrix, and color codes how well covered each tactic and technique is.
Directly from the application you will be able to:
View sub-techniques within the matrix to understand where more coverage can be addedÂ
Install Alert and take action to improve coverageÂ
Have coverage from a single alert to multiple Tactics and techniquesÂ
For log sources, the application detects log sources currently being ingested and maps them to the ATT&CK matrix to evaluate data ingestion.
For the Alert heatmap, the application shows the concentration of fired alerts per technique and tactic for a specific period.
Prerequisites
To install some alerts you must have the following lookups installed in your domain, unless you have the Security Operations application, which includes them as part of the installation package:
Refer to the individual MITRE Content Packs to see which specific alerts these prerequisites apply to.
There are no prerequisites for using the MITRE ATT&CK Application.
Open the app
Once the app has been installed, you can use the Open button at the top right of the card in Exchange to access it and use it as intended. You can also access the app via the Navigation pane.
Use the app
Once inside the app, you can use it as required. Refer to MITRE ATT&CK Adviser for a detailed walkthrough.