Skip to main content

Cyware Situational Awareness Platform

ATT&CK Navigator

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and sub-techniques based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in an organization.

Using the ATT&CK Navigator to visualize the defensive coverage and frequency of detected tactics and techniques based on the alerts and TDL content in the Member Portal.

View Alert Heat Map

The Alert Heat Map displays tactics, techniques, and sub-techniques data based on alerts shared with you. While creating an alert, the analysts can associate the tactic and technique details that correspond to the alert. These alerts are mapped in the ATT&CK Navigator. For example, if the analyst selects Persistence as the tactic and Application Shimming as the technique while creating an alert, the same can be visualized in the Alert Heat Map.

Note

If you are unable to view the Alert Heat Map but can view the TDL Heat Map, this may be due to the configuration in the Analyst Portal. For more information, contact your Collaborate administrator.

  • From the Main Menu, select ATT&CK Navigator.

  • The columns are organized based on tactics defined by MITRE. The number of times a particular tactic is reported in an alert is displayed next to the tactic name.

    Select a tactic to view the list of alerts associated with the tactic.

  • The rows are organized based on techniques defined by MITRE. The number of times a particular technique is reported in an alert is displayed next to the technique name. 

    Select a technique to view the list of alerts associated with the technique.

  • Select the ATT&CK Matrix type (Enterprise, ICS, and Mobile) to view the corresponding alerts.

  • The heatmap uses red color to indicate the frequency of detected tactics and techniques. The higher the intensity of the color, the larger the frequency of the technique.

View TDL Heat Map

The TDL Heat Map displays tactics and techniques data based on TDL content available in the Threat Defender Library (TDL). While creating TDL content, you can associate the tactic, technique, and sub-technique details that are associated with the content. This content is subsequently mapped to the ATT&CK Navigator.

  • From the Main Menu, select ATT&CK Navigator.

  • The columns are organized based on tactics defined by MITRE. The number of times a particular tactic is reported in TDL content is displayed next to the tactic name.

    Select a tactic to view the TDL content that you or your organization created and associated with it.

  • The rows are organized based on techniques defined by MITRE. The number of times a particular technique is reported in TDL content is displayed next to the technique name.

    Select a technique to view the TDL content that you or your organization created and associated with it.

  • Select the ATT&CK Matrix type (Enterprise, ICS, and Mobile) to view the corresponding TDL content.

  • The heatmap uses red color to indicate the frequency of detected tactics and techniques. The higher the intensity of the color, the larger the frequency of the technique.

Manage Heat Map

Use the following information to manage alert and TDL heatmap:

  • To filter data by date range, use the Published Date filter.

  • To hide the cells that do not have any data in the heatmap, turn on the Remove Blank Space toggle. 

  • To view the frequency of use of the techniques through color intensity, click Heat Map

  • Click the vertical ellipsis and use the following information:

    • To download the heat map as a PDF on your local system, click Download. Any filters you apply or techniques you expand before downloading will be included in the PDFs.

    • Click Walkthrough to get a step-by-step guide of the feature.