MITRE ATT&CK | Classifications | View#

When entities are assigned classifications, you can:

Permissions#

You need read entity and read attack permissions to view assigned classifications.

Viewing assigned classifications#

View assigned classifications in entity tables#

In Intelligence Center, entity tables can show the ATT&CK classifications of the displayed entities.

If the MITRE ATT&CK column is not visible:

  1. On the right side of the of the table header, select the Settings Settings icon.

  2. From the Customize list columns modal, select MITRE ATT&CK ID.

  3. Select Save.

View assigned classifications of individual entities#

  1. Open an entity (through search and browse, for example).

  2. In the Entity modal, go to the Overview tab.

In the MITRE ATT&CK field you will see the assigned classifications.

Finding entities through assigned classifications#

Filter on ATT&CK classifications#

You can filter entity tables by ATT&CK classifications.

  1. In any entity table, select Filter Filter in the top left.

  2. Select the MITRE ATT&CK section to expand it.

  3. Start typing to search for an ATT&CK TTP.

  4. Select one or more ATT&CK TTPs from the list to filter results by.

    Filter by ATT&CK classification

Search for ATT&CK classifications#

When creating search queries, you can include ATT&CK classifications as filters to find entities with those classifications.

To construct a query including ATT&CK ID filters:

  1. From the left navigation, select Search icon Search and Browse and open the Entities tab.
    You can include ATT&CK classifications both simple and relational queries.

  2. In the Search entities field, enter meta.attack.id: <ATT&CK_ID> or meta.attack.id.keyword: <ATT&CK_ID>.

    ATT&CK_ID specificity

    Including meta.attack.id: <ATT&CK_ID> is non-literal, i.e. searching for TA0001 would return entities classified with TA0001 and TA0001:TXXXX. Searching for T1098 would return TA0001:T1098 and TA0011:T1098.

    meta.attack.id.keyword: <ATT&CK_ID> is literal; searching for TA0001 would return entities classified with TA0001. Searching for T1098 would return nothing as it does not exist without a tactic scope.

  3. Substitute <ATT&CK_ID> with an ATT&CK ID.

  4. (Optional) To include multiple ATT&CK classifications, repeat steps 2 and 3, using AND/OR operators between filters.

  5. (Optional) Complete your query with other filters.

  6. Run the query by selecting Search icon.