Knowledge BaseCommunityRelease NotesTry Panther
Search
⌃K
Links

Framework Mapping and MITRE ATT&CK® Matrix

Map detections to compliance frameworks in Panther

Overview

Panther supports the ability to track coverage against compliance frameworks by mapping rules, policies and scheduled rules to reports.
In Panther versions 1.37 and newer, you can map detections against MITRE ATT&CK®. This can help you track and visualize coverage, which may be useful for identifying gaps and reporting compliance internally. To learn how to assign Tactic and Technique combos to your detections, see the documentation below.

How to map a detection to a framework

Panther Console
Panther Analysis Tool
  1. 1.
    Log in to the Panther Console.
  2. 2.
    In the left sidebar, click Build > Detections. Click on a detection name to view its details.
  3. 3.
    On the detection detail page, click Edit in the upper right corner.
  4. 4.
    Within the Rule Settings tab, scroll down to the Framework Mapping section.
    The Framework Mapping section shows two fields: Report Key and Report Values
  5. 5.
    On the right hand side of the Framework Mapping section, click Add New.
    • In Report Key, enter the framework name.
    • In Report Values, enter the specific framework requirement name.
      • You can enter multiple report values separated by a comma.
  6. 6.
    Click Update in the upper right corner.
    • You can view the update on the detection details page, in the Framework Mapping field.
    The Details tab of a detection named AWS Access Key Uploaded to Github shows information like Created By, Modified By, Tags, etc. A red box has been drawn around the Framework Mapping field, which has a value of MITRE ATT&CK: TAOOO6: T1552
You can add framework mappings using the Panther Analysis Tool (PAT), in the detection metadata yaml files in source code.
For a given detection, add the Report Key and Report Value under the Reports yml tag:
Reports:
Report Key:
- Report Value
Once the detection has been uploaded via PAT or bulk uploaded, the changes will be reflected in the Panther Console.

How to use the MITRE ATT&CK® feature in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Build > MITRE ATT&CK®.
  3. 3.
    Choose an option from the Matrix drop-down menu in the upper right corner of the page.
Here you will see the number of techniques covered out of the total and the number of active analytics. Each Tactic is represented as a row, and a square represents each technique.
When clicking into a Technique, you will see the Detections or Log Sources that are applicable. Please note the following:
  • Panther Managed Detections are automatically assigned to applicable Tactic and Technique combos as long as you are using the latest version.
  • CrowdStrike as a Log Source is automatically assigned to applicable Tactic and Technique combos.
  • You are able to assign enabled or disabled Detections that have log sources that you have not yet onboarded.
You will need to assign all of your unmanaged rules, policies, and scheduled rules to the respective Tactics & Techniques.

Tactic and Technique possible states

  • Covered: Confirmed by you as a covered Tactic and Technique combo
  • Partially Covered:
    • One or more mapped Panther-managed detection or unmanaged detection
    • Onboarded Crowdstrike as a log source
  • Not Relevant: Manually assigned to not be relevant for your environment
  • Not Covered: No applicable detection or manually assigned

Adding and Editing ATT&CK mappings

Panther Console
Panther Analysis Tool
There are two ways to assign rules, policies, and scheduled rules to a Tactic and Technique: From the MITRE ATT&CK Matrix or from the Detection create/edit workflow.
Note: The actions below require a user with "Manage Rules" permission.

From the MITRE ATT&CK® Matrix:

  1. 1.
    Select a Tactic and Technique that you would like to map Detections to.
    • In the component under the Matrix you’ll see a list of already mapped Detections or an empty state.
  2. 2.
    At the bottom of the screen, click Create New or Map Existing to assign Detections.
    In the Panther Console under the matrix, there is a button labeled "Create New" and a link labeled "Map Existing".
For new and existing Detections the TacticID:TechniqueID will be automatically assigned after this step.
From the create or edit Detection workflow:
  1. 1.
    Click into a Detection.
  2. 2.
    Click Edit in the upper right.
  3. 3.
    Navigate to the Report Mapping tab
    • To add a mapping, click Add Report. Configure the fields:
      • Report Key: Enter MITRE ATT&CK.
      • Report Values: Enter the TacticID:TechniqueID value.
    • To remove a mapping, click the trash icon next to the TacticID:TechniqueID
  4. 4.
    Click Update.
    The image shows a Report Key field that contains "MITRE ATTACK" and a Report Values field that contains the TacticID:TechniqueID value
You can add ATT&CK mappings using the Detection metadata yaml files in source code via Panther Analysis Tool (PAT).
For a given Detection, add MITRE ATT&CK key and Tactic and Technique IDs under the Reports yml tag:
Reports:
MITRE ATT&CK:
- TA0006:T1110
Once the detection has been uploaded via Panther Analysis Tool or bulk uploaded, the changes will be reflected in the Matrix found in the Console.

Using tags to enrich the mapping convention

The Tags field can be used to enrich the detection with more metadata about the Tactic and Technique as you see fit. For example, it may be useful to add the Tactic and Technique as a tag:
  1. 1.
    In the Panther Console, click into a Detection.
  2. 2.
    Click Edit in the upper right.
  3. 3.
    Navigate to the Rule Settings tab.
  4. 4.
    Type the tag in the Custom Tags field, then press enter.
  5. 5.
    Click Update to save.

Identifying the Tactic and Technique ID

You can find the TacticID and TechniqueID in the Panther Console or by visiting the MITRE ATT&CK website.
Previous
Global Helper Functions
Next
Cloud Security Scanning
Last modified 3mo ago