Knowledge BaseCommunityRelease NotesTraining VideosRequest Demo
Search
K
Links

Framework Mapping and MITRE ATT&CK® Matrix

Map detections to compliance frameworks in Panther

Overview

Panther supports the ability to track coverage against compliance frameworks by mapping rules, policies and scheduled rules to reports.
In Panther versions 1.37 and newer, you can map detections against MITRE ATT&CK®. This can help you track and visualize coverage, which may be useful for identifying gaps and reporting compliance internally. To learn how to assign Tactic and Technique combos to your detections, see the documentation below.

How to map a detection to a framework

Console
CLI
  1. 1.
    In the left-hand navigation bar of your Panther Console, click Build > Detections.
  2. 2.
    Click the name of a detection.
  3. 3.
    Scroll down to the Set Alert Fields tile.
    The Set Alert Fields tile in the detection page is shown. There are various fields, like Severity, Deduplication Period, and Runbook. At the bottom is a circled Framework Mapping section, containing an Add New button.
  4. 4.
    On the right hand side of the Framework Mapping section, click Add New.
    • In Report Key, enter the framework name.
    • In Report Values, enter the specific framework requirement name.
      • You can enter multiple report values separated by a comma.
  5. 5.
    In the upper-right corner, click Update.
In your detection's YAML file (in both Python and YAML detections), add a Reports key:
Reports:
Report Key:
- Report Value
Once the detection has been uploaded with Panther Analysis Tool (PAT) or bulk uploaded, the changes will be reflected in the Panther Console.

How to use the MITRE ATT&CK® feature in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Build > MITRE ATT&CK®.
  3. 3.
    Choose an option from the Matrix drop-down menu in the upper right corner of the page.
Here you will see the number of techniques covered out of the total and the number of active analytics. Each Tactic is represented as a row, and a square represents each technique.
When clicking into a Technique, you will see the Detections or Log Sources that are applicable. Please note the following:
  • Panther Managed Detections are automatically assigned to applicable Tactic and Technique combos as long as you are using the latest version.
  • CrowdStrike as a Log Source is automatically assigned to applicable Tactic and Technique combos.
  • You are able to assign enabled or disabled Detections that have log sources that you have not yet onboarded.
You will need to assign all of your unmanaged rules, policies, and scheduled rules to the respective Tactics & Techniques.

Tactic and Technique possible states

  • Covered: Confirmed by you as a covered Tactic and Technique combo
  • Partially Covered:
    • One or more mapped Panther-managed detection or unmanaged detection
    • Onboarded Crowdstrike as a log source
  • Not Relevant: Manually assigned to not be relevant for your environment
  • Not Covered: No applicable detection or manually assigned

Adding and Editing ATT&CK mappings

Console
CLI
There are two ways to assign rules, policies, and scheduled rules to a Tactic and Technique: From the MITRE ATT&CK Matrix or from the detection create/edit workflow.
Note: The actions below require a user with "Manage Rules" permission.

From the MITRE ATT&CK® Matrix:

  1. 1.
    Select a Tactic and Technique that you would like to map Detections to.
    • In the component under the Matrix you’ll see a list of already mapped Detections or an empty state.
  2. 2.
    At the bottom of the screen, click Create New or Map Existing to assign Detections.
    In the Panther Console under the matrix, there is a button labeled "Create New" and a link labeled "Map Existing".
For new and existing Detections the TacticID:TechniqueID will be automatically assigned after this step.
From the create or edit detection workflow:
  1. 1.
    In the left-hand navigation bar of your Panther Console, click Build > Detections.
  2. 2.
    Click the name of a detection.
  3. 3.
    Scroll down to the Framework Mapping section, within the Set Alert Fields tile.
    • To add a mapping, click Add Report. Configure the fields:
      • Report Key: Enter MITRE ATT&CK.
      • Report Values: Enter the TacticID:TechniqueID value.
    • To remove a mapping, click the trash icon next to the TacticID:TechniqueID
  4. 4.
    In the upper-right corner, click Update.
    The image shows a Report Key field that contains "MITRE ATTACK" and a Report Values field that contains the TacticID:TechniqueID value
In your detection's YAML file (in both Python and YAML detections), add a Reports key, and under it, a MITRE ATT&CK key. Then add the Tactic and Technique IDs.
Reports:
MITRE ATT&CK:
- TA0006:T1110
Once the detection has been uploaded with Panther Analysis Tool (PAT) or bulk uploaded, the changes will be reflected in the matrix in the Panther Console.

Using tags to enrich the mapping convention

The Tags field can be used to enrich the detection with more metadata about the Tactic and Technique as you see fit. For example, it may be useful to add the Tactic and Technique as a tag:
  1. 1.
    In the left-hand navigation bar of your Panther Console, click Build > Detections.
  2. 2.
    Click the name of a detection.
  3. 3.
    Scroll down to the Set Alert Fields tile.
  4. 4.
    Type the tag in the Custom Tags field, then press enter.
  5. 5.
    In the upper-right corner, click Update.

Identifying the Tactic and Technique ID

You can find the TacticID and TechniqueID in the Panther Console or by visiting the MITRE ATT&CK website.
Previous
Data Replay (Beta)
Next
Cloud Security Scanning
Last modified 1mo ago