ATT&CK Map

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Overview

The ATT&CK Map only covers MITRE ATT&CK Enterprise.

The MITRE ATT&CK Framework is a knowledge base used to develop specific threat models and methodologies. Use the Cloud SIEM ATT&CK Map to explore and visualize the MITRE ATT&CK Framework against Datadog’s out-of-the-box rules and your custom detection rules. The ATT&CK Map displays detection rule density as a heat map to provide visibility into attacker techniques. Your security teams can use the heat map to assess gaps in coverage that is relevant to their organization or team and prioritize improvements to their detection rule defenses.

View detection rules in the ATT&CK Map

To view detection rules against the MITRE ATT&CK Framework:

  1. Navigate to the Detection Rules page.
  2. Click the ATT&CK Map button located next to Rules List.

The default view of the map shows all Datadog out-of-the-box and custom rules for active sources, broken down into different attack techniques. Active sources are the sources of logs found and analyzed in the Cloud SIEM index.

Note: For the legacy SKU, all ingested logs are analyzed by Cloud SIEM unless security filters have been set up.

To view the map for all sources, in the Visualize dropdown menu, select All Sources. This shows all out-of-the-box rules, including those that are not currently used to detect threats from your logs.

Click the rule density buttons to visualize the map for a specific number of rules. For example, if you click High +7, only tiles that have more than seven rules enabled are shown on the map.

To view more information about a technique and the rules monitoring the technique:

  1. On the ATT&CK Map page, click on a technique tile.
  2. Click Create Custom Rule if you want to create a custom rule for this technique. See Detection Rules for more information on creating custom rules.
  3. In the Rules monitoring this Technique section, you can:
    1. Enter a search query to filter to specific rules.
  4. Sort by the creation date, rule type, rule name, source, or highest severity.
  5. Toggle Show deprecated rules to see deprecated rules for this technique.

Add attacker technique and tactic tags to custom rules

Custom rules only show up in the map if they are tagged in the rule editor with the correct MITRE tactic and technique. The tactic and technique must also be paired correctly. If the correct format and pairing are not used, the rule does not show up in the map when you use the search bar to filter for that rule.

This is an example of the format you need to use for tagging custom rules and the correct pairing of tactic and technique tags:

  • tactic: <tactic number>-<tactic name>
    • For example: tactic:TA0001-Initial-Access
  • technique: <technique number>-<technique name>
    • For example: technique:T1566-Phishing

Note: The tactic and technique need to be based on the MITRE ATT&CK version stated on the ATT&CK Map page.

Further reading

お役に立つドキュメント、リンクや記事:

Create custom detection rulesDOCUMENTATION more more