Intelligence metadata | MITRE ATT&CK | Classifications

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations that codifies many of the tactics, (sub-)techniques, and procedures (TTPs) malicous actors may use to gain information about and access to your IT infrastructure.

MITRE ATT&CK website

See https://attack.mitre.org/ for more information.

When a TTP is assigned to an entity that is called a classification. Entities can have multiple classifications, but only entities can be classified with ATT&CK TTPs.

Heat maps

You can analyze the relative occurence of classifications in your intelligence with MITRE ATT&CK analysis.

You can:

• Assign and usassign MITRE ATT&CK classifications to entities.

• View entities’ classifications.

• Use classifications to search for and filter entities.

More information

When hovering over the information icon for an ATT&CK classification, select READ MORE to go to that classification’s attack.mitre.org page.

The icon is only visible if your user has a role that has the read attack permission.

Version support

• Intelligence Center v3.4 supports MITRE ATT& CK v15.1.

• Older versions of MITRE ATT&CK are supported for:

  • Classifications revoked after MITRE ATT&CK v9.0.
    (These classifications remain assigned and can still be assigned to entities.)

  • Entities exported from earlier versions of EclecticIQ Intelligence Center and imported in v3.4:

    • If the assigned classifications have not been renamed or were revoked-and-replaced, the imported entities will retain their assigned classifications.

    • If the assigned classifications were renamed (but retained their ID), the entity will be classified with the up-to-date classification names.

      Must update queries

      If a query (in a Search query dataset or rule, for example) uses a or renamed ATT&CK classification, those queries must be updated to use the updated ATT&CK classification to continue to work.