Intelligence metadata | Classifications

Intelligence Center supports multiple threat and adversary frameworks that codify tactics, techniques, and procedures (TTPs) used by malicious actors. Framework classifications can be assigned to entities to capture structured intelligence and enable analysis across your dataset.

Supported frameworks

Intelligence Center currently supports:

• MITRE ATT&CK: A knowledge base of adversary tactics and techniques based on real-world observations. See https://attack.mitre.org/ for more information.

• DISARM: A framework for analyzing and tracking disinformation campaigns and techniques. See https://www.disarm.foundation/framework for more information.

You can:

• Assign and unassign classifications to entities.

• View entities’ classifications.

• Use classifications to search for and filter entities.

• Analyze the relative occurrence of classifications with Heatmap Analysis.

Version support

MITRE ATT&CK

• Intelligence Center v3.7 supports MITRE ATT&CK v18.1.

• Older versions of MITRE ATT&CK are supported for:

  • Classifications revoked after MITRE ATT&CK v9.0.
    (These classifications remain assigned and can still be assigned to entities.)

  • Entities exported from earlier versions of EclecticIQ Intelligence Center and imported in v3.7:

    • If the assigned classifications have not been renamed or were revoked-and-replaced, the imported entities will retain their assigned classifications.

    • If the assigned classifications were renamed (but retained their ID), the entity will be classified with the up-to-date classification names.

      Must update queries

      If a query (in a Search query dataset or rule, for example) uses a or renamed ATT&CK classification, those queries must be updated to use the updated ATT&CK classification to continue to work.

DISARM

• Intelligence Center v3.7 supports DISARM v1.6.

• DISARM classifications are sourced from the official DISARM v1.6 STIX 2.1 repository (See https://github.com/DISARMFoundation/DISARMframeworks). Each classification is identified by its DISARM ID (e.g. T0073) which maps 1-to-1 to a STIX ID (e.g. attack-pattern--6faf71ca-1e32-4134-8a7c-79b25f7f3615).

Permissions

To be able to work with classifications, your user must have a role with these permissions:

• read attack to access the framework classification taxonomy and use it to search and filter entities.

• modify entities to add framework classifications to entities.