MITRE ATT&CK | Classifications | View#
When entities are assigned classifications, you can:
View assigned TTPs…
… per entity.
Permissions#
You need read entity
and read attack
permissions to view assigned
classifications.
Viewing assigned classifications#
View assigned classifications in entity tables#
In Intelligence Center, entity tables can show the ATT&CK classifications of the displayed entities.
If the MITRE ATT&CK column is not visible:
View assigned classifications of individual entities#
Open an entity (through search and browse, for example).
In the Entity modal, go to the Overview tab.
In the MITRE ATT&CK field you will see the assigned classifications.
Finding entities through assigned classifications#
Filter on ATT&CK classifications#
You can filter entity tables by ATT&CK classifications.
Search for ATT&CK classifications#
When creating search queries, you can include ATT&CK classifications as filters to find entities with those classifications.
To construct a query including ATT&CK ID filters:
From the left navigation, select Search and Browse and open the Entities tab.
You can include ATT&CK classifications both simple and relational queries.In the Search entities field, enter
meta.attack.id: <ATT&CK_ID>
ormeta.attack.id.keyword: <ATT&CK_ID>
.ATT&CK_ID specificity
Including
meta.attack.id: <ATT&CK_ID>
is non-literal, i.e. searching forTA0001
would return entities classified withTA0001
andTA0001:TXXXX
. Searching forT1098
would returnTA0001:T1098
andTA0011:T1098
.meta.attack.id.keyword: <ATT&CK_ID>
is literal; searching forTA0001
would return entities classified withTA0001
. Searching forT1098
would return nothing as it does not exist without a tactic scope.Substitute
<ATT&CK_ID>
with an ATT&CK ID.(Optional) To include multiple ATT&CK classifications, repeat steps 2 and 3, using
AND
/OR
operators between filters.(Optional) Complete your query with other filters.