Framework Mapping and MITRE ATT&CK® Matrix
Map detections to compliance frameworks in Panther
Last updated
Was this helpful?
Map detections to compliance frameworks in Panther
Last updated
Was this helpful?
Panther supports the ability to track coverage against compliance frameworks by mapping rules, policies and scheduled rules to reports.
In Panther versions 1.37 and newer, you can map detections against MITRE ATT&CK®. This can help you track and visualize coverage, which may be useful for identifying gaps and reporting compliance internally. To learn how to assign Tactic and Technique combos to your detections, see the documentation below.
In the left-hand navigation bar of your Panther Console, click Dashboard.
Click the MITRE ATT&CK® tab.
Click the name of a detection.
Scroll down to the Set Alert Fields tile.
On the right hand side of the Framework Mapping section, click Add New.
In Report Key, enter the framework name.
In Report Values, enter the specific framework requirement name.
You can enter multiple report values separated by a comma.
In the upper-right corner, click Update.
In the left-hand navigation bar of your Panther Console, click Dashboard.
Click the MITRE ATT&CK® tab.
Choose an option from the Matrix drop-down menu in the upper-right corner of the page.
Here you will see the number of techniques covered out of the total, and the number of active analytics. Each Tactic is represented as a row, and a square represents each technique.
When clicking into a Technique, you will see the Detections or Log Sources that are applicable. Please note the following:
Panther-managed Detections are automatically assigned to applicable Tactic and Technique combos as long as you are using the latest version.
CrowdStrike as a Log Source is automatically assigned to applicable Tactic and Technique combos.
You are able to assign enabled or disabled Detections that have log sources that you have not yet onboarded.
You will need to assign all of your custom rules, policies, and scheduled rules to the respective Tactics & Techniques.
Covered: Confirmed by you as a covered Tactic and Technique combo
Partially Covered:
One or more mapped Panther-managed detection or unmanaged detection
Onboarded CrowdStrike as a log source
Not Relevant: Manually assigned to not be relevant for your environment
Not Covered: No applicable detection or manually assigned
There are two ways to assign rules, policies, and scheduled rules to a Tactic and Technique: From the MITRE ATT&CK Matrix or from the detection create/edit workflow.
Select a Tactic and Technique that you would like to map Detections to.
In the component under the Matrix you’ll see a list of already mapped Detections or an empty state.
For new and existing Detections the TacticID:TechniqueID will be automatically assigned after this step.
From the create or edit detection workflow:
In the left-hand navigation bar of your Panther Console, click Detections.
Click the name of a detection.
Scroll down to the Framework Mapping section, within the Set Alert Fields tile.
To add a mapping, click Add Report. Configure the fields:
Report Key: Enter MITRE ATT&CK.
Report Values: Enter the TacticID:TechniqueID value.
To remove a mapping, click the trash icon next to the TacticID:TechniqueID
The Tags field can be used to enrich the detection with more metadata about the Tactic and Technique as you see fit. For example, it may be useful to add the Tactic and Technique as a tag:
In the left-hand navigation bar of your Panther Console, click Detections.
Click the name of a detection.
Scroll down to the Set Alert Fields tile.
Type the tag in the Custom Tags field, then press enter.
In the upper-right corner, click Update.
You can find the Tactic ID and Technique ID in the Panther Console or by visiting the MITRE ATT&CK website.
At the bottom of the screen, click Create New or Map Existing to assign Detections.
In the upper-right corner, click Update.
Once the detection has been or bulk uploaded, the changes will be reflected in the matrix in the Panther Console.
