Classifications | Manage

In Intelligence Center, you can:

• Assign classifications to an entity.

• Unassign an entity’s classifications.

• Manage classifications in bulk.

• Classify entities with techniques that belong to more than one tactic.

Assign classifications to an entity

1. Open an entity (through search and browse, for example).

2. On the Overview tab, scroll down to the TTP classifications section.

3. Select MANAGE CLASSIFICATIONS.

4. In the Select TTP Classification modal that appears, select classifications to add them to this entity.

5. Select Select to save your changes.

Automatic extraction of ATT&CK classifications

When a Report entity is created with MITRE ATT&CK classifications (e.g. T1234 or T1234.765) in its Description or Analysis field, these classifications will be extracted and added to that Entity. This is true for both manually created and ingested entities.

Unassign an entity’s classifications

1. Open an entity (through search and browse, for example).

2. On the Overview tab, scroll down to the TTP classifications section.

3. In the row of the classifications that you want to unassign, select X Delete classification.

Bulk actions

You can also assign and unassign classifications for multiple entities at once as a bulk action.

1. In an entity table select all entities you want to change classifications for

2. Select TTP Classification from the entity table header.

   • To unassign: deselect individual classifications, or select the x icon in the upper right to Remove all techniques and tactics.

   • To assign: Select individual techniques. You can also search for IDs or names.

3. Select Save.

Handle techniques that belong to more than one tactic

Some techniques and sub-techniques may be associated with more than one tactic.

For example, the MITRE ATT&CK data model allows you to classify a threat actor with the technique “T1072 Software Deployment Tools”. However, T1072 occurs in two tactics: “TA0002 Execution” and “TA0008 Lateral Movement” tactics. The ATT&CK model does not require you to specify a tactic for an observed technique or sub-technique. This allows for analysts to map data to ATT&CK when techniques or sub-techniques can be identified, but it’s unknown to which parent tactic it belongs.

EclecticIQ Intelligence Center does not support this ambiguity. All classifications in EclecticIQ Intelligence Center must have a specific parent tactic. To work around this, in instances where a classification’s parent tactic is ambiguous, assign all possible parent tactics. For example, to assign “T1072 Software Deployment Tools” to an entity and leave its parent tactic ambiguous, assign both TA0002:T1072 and TA0008:T1072 to the entity to maintain that ambiguity.