MITRE ATT&CK
The MITRE ATT&CK page will display all indicators detected depending on the active filters on top within the set timeframe.
The page is dynamically built up per event type, whenever there is a result there will be tables visible for the following event types;
- Process Create
- Process Access
- File Create
- Image Loaded
- Network Connection
- Registry Access
- Pipe Connected
- WMI
All fields per line are clickable and have specific drilldown actions most are equal for all event types but there are a few specific ones.
| field name | action | description |
|---|---|---|
| _time | whitelist | This will open the event type specific whitelist editor and fill it with the relevant fields |
| ID | MITRE technique | This will navigate to this specific ATT&CK technique description in the framework |
| Technique | MITRE technique | This will navigate to this specific ATT&CK technique description in the framework |
| Category | category | This will navigate to this specific Category overview in the framework |
| host_fqdn | computer drilldown | This will open the Computer Drilldown dashboard, which will show all indicators for that host |
| user_name | user drilldown | This will open the User Drilldown dashboard, which will show all user interactions |
| process_parent_guid | ParentProcess Drildown | This will open the ParentProcess GUID drilldown and search for the clicked guid |
| process_guid | Process Drildown | This will open the Process GUID drilldown and search for the clicked guid |
| hash_256 | Virustotal | This will search for the clicked hash on VirusTotal |
| src_ip | network drilldown | This will open the Network Drilldown dashboard and search for the clicked IP address |
| dst_ip | network drilldown | This will open the Network Drilldown dashboard and search for the clicked IP address |
| all other fields | table default action | This will open the ParentProcess or Process GUID drilldown depending on the event type |