# Framework Mapping and MITRE ATT\&CK® Matrix

## Overview

Panther supports the ability to track coverage against compliance frameworks by mapping rules, policies and scheduled rules to reports.

In Panther versions 1.37 and newer, you can map detections against [MITRE ATT\&CK](https://attack.mitre.org/)®. This can help you track and visualize coverage, which may be useful for identifying gaps and reporting compliance internally. To learn how to assign Tactic and Technique combos to your detections, [see the documentation below](#how-to-use-the-mitre-att-and-ck-r-feature-in-panther).

## **How to map a detection to a framework**

{% tabs %}
{% tab title="Console" %}

1. In the left-hand navigation bar of your Panther Console, click **Dashboard**.
2. Click the **MITRE ATT\&CK®** tab.
3. Click the name of a detection.
4. Scroll down to the **Set Alert Fields** tile.\
   ![The Set Alert Fields tile in the detection page is shown. There are various fields, like Severity, Deduplication Period, and Runbook. At the bottom is a circled Framework Mapping section, containing an Add New button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-70748bcd8ba0f94b5ce94184859b4ccb8d72a80a%2Fimage.png?alt=media)
5. On the right hand side of the **Framework Mapping** section, click **Add New**.
   * In **Report Key**, enter the framework name.
   * In **Report Values**, enter the specific framework requirement name.
     * You can enter multiple report values separated by a comma.
6. In the upper-right corner, click **Update**.
   {% endtab %}

{% tab title="CLI" %}
In your detection's YAML file (in both Python and YAML detections), add a `Reports` key:

```yaml
Reports:
  Report Key:
    - Report Value
```

Once the detection has been [uploaded with Panther Analysis Tool (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#uploading-to-panther) or bulk uploaded, the changes will be reflected in the Panther Console.
{% endtab %}
{% endtabs %}

## How to use the MITRE ATT\&CK® feature in Panther

1. In the left-hand navigation bar of your Panther Console, click **Dashboard**.
2. Click the **MITRE ATT\&CK®** tab.
3. Choose an option from the **Matrix** drop-down menu in the upper-right corner of the page.
   * Here you will see the number of techniques covered out of the total, and the number of active analytics. Each Tactic is represented as a row, and a square represents each technique.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-c165e31eeef920688e5379439097e63ad90ab669%2Fimage%20(132).png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

When clicking into a Technique, you will see the Detections or Log Sources that are applicable. Please note the following:

* [Panther-managed Detections](https://docs.panther.com/detections/panther-managed) are automatically assigned to applicable Tactic and Technique combos as long as you are using the latest version.
* [CrowdStrike as a Log Source](https://docs.panther.com/data-onboarding/supported-logs/crowdstrike) is automatically assigned to applicable Tactic and Technique combos.
* You are able to assign enabled or disabled Detections that have log sources that you have not yet onboarded.

You will need to assign all of your custom rules, policies, and scheduled rules to the respective Tactics & Techniques.

### Tactic and Technique possible states

* **Covered**: Confirmed by you as a covered Tactic and Technique combo
* **Partially Covered**:
  * One or more mapped Panther-managed detection or unmanaged detection
  * Onboarded CrowdStrike as a log source
* **Not Relevant**: Manually assigned to not be relevant for your environment
* **Not Covered**: No applicable detection or manually assigned

### **Adding and Editing ATT\&CK mappings**

{% tabs %}
{% tab title="Console" %}
There are two ways to assign rules, policies, and scheduled rules to a Tactic and Technique: From the MITRE ATT\&CK Matrix or from the detection create/edit workflow.

{% hint style="info" %}
The actions below require you to have the **Manage Rules** permission.
{% endhint %}

**From the MITRE ATT\&CK® Matrix:**

1. Select a Tactic and Technique that you would like to map Detections to.
   * In the component under the Matrix you’ll see a list of already mapped Detections or an empty state.
2. At the bottom of the screen, click **Create New** or **Map Existing** to assign Detections.\
   ![In the Panther Console under the matrix, there is a button labeled "Create New" and a link labeled "Map Existing".](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-31fa9521ad085ead9c20db5a02a1f84984478630%2FScreen%20Shot%202022-08-02%20at%201.33.46%20PM.png?alt=media)

For new and existing Detections the `TacticID:TechniqueID` will be automatically assigned after this step.

**From the create or edit detection workflow:**

1. In the left-hand navigation bar of your Panther Console, click **Detections**.
2. Click the name of a detection.
3. Scroll down to the **Framework Mapping** section, within the **Set Alert Fields** tile.
   * To add a mapping, click **Add Report**. Configure the fields:
     * **Report Key**: Enter `MITRE ATT&CK`.
     * **Report Values**: Enter the TacticID:TechniqueID value.
   * To remove a mapping, click the trash icon next to the `TacticID:TechniqueID`
4. In the upper-right corner, click **Update**.\
   ![The image shows a Report Key field that contains "MITRE ATTACK" and a Report Values field that contains the TacticID:TechniqueID value](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-1f9d2f1e17e8a9a362a4a9fec76bff56746040fc%2FUntitled%20\(1\).png?alt=media)
   {% endtab %}

{% tab title="CLI" %}
In your detection's YAML file (in both Python and YAML detections), add a `Reports` key, and under it, a `MITRE ATT&CK` key. Then add the Tactic and Technique IDs.

```yaml
Reports:
  MITRE ATT&CK:
    - TA0006:T1110
```

Once the detection has been [uploaded with Panther Analysis Tool (PAT)](https://docs.panther.com/panther-developer-workflows/detections-repo/pat#uploading-to-panther) or bulk uploaded, the changes will be reflected in the matrix in the Panther Console.
{% endtab %}
{% endtabs %}

### **Using tags to enrich the mapping convention**

The **Tags** field can be used to enrich the detection with more metadata about the Tactic and Technique as you see fit. For example, it may be useful to add the Tactic and Technique as a tag:

1. In the left-hand navigation bar of your Panther Console, click **Detections**.
2. Click the name of a detection.
3. Scroll down to the **Set Alert Fields** tile.
4. Type the tag in the **Custom Tags** field, then press enter.
5. In the upper-right corner, click **Update**.

### **Identifying the Tactic and Technique ID**

You can find the Tactic ID and Technique ID in the Panther Console or by visiting the [MITRE ATT\&CK website](https://attack.mitre.org/tactics/enterprise/).

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-e9f9d082a28bada7e4faeab1a733778f20e2162a%2FScreen%20Shot%202022-11-09%20at%209.10.11%20AM%20(1)%20(1)%20(1)%20(1).png?alt=media" alt="" width="563"><figcaption></figcaption></figure>