Classifications | View#

When entities are assigned classifications, you can:

View classifications#

In entity tables#

To show the TTP Classification column in the entity listing view if it is not visible:

  1. On the right side of the table header, select the Settings Settings icon.

  2. From the Customize list columns modal, select TTP Classification.

  3. Select Save.

In entity detail pane#

  1. Open an entity’s detail pane.

  2. In the entity modal, go to the Overview tab.

The assigned classifications are displayed in the TTP Classification section.

In the graph#

  1. From the graph top menu bar, select TTP Classification.

  2. Enable the Show TTP Classifications toggle.

By default, classifications appear as a list below each entity node in the graph.

The following additional options become available:

  • Show as Objects: Displays classifications as individual objects in the graph instead of a list below each entity. Select a classification object to open a modal with a short description. Select Read More to open the classification’s page on the framework website.

  • Show Name: Displays the full classification name instead of just the ID.

  • Framework filter: Filter which classifications are shown in the graph by framework (e.g. MITRE ATT&CK or DISARM).

Search and filter entities through assigned classifications#

Filter on classifications#

You can filter entity tables by framework classifications.

  1. In any entity table, select Filter Filter in the top-left.

  2. Expand the relevant framework section (e.g. MITRE ATT&CK or DISARM).

  3. Start typing to search for a classification.

  4. Select one or more classifications from the list to filter results by.

    Filter by ATT&CK classification

Search for classifications#

When creating search queries, you can include classifications as filters to find entities with those classifications.

To construct a query including classification ID filters:

  1. From the left sidebar, select Search icon Search and Browse and open the Entities tab.
    You can include classifications in both simple and relational queries.

  2. In the Search entities field, enter meta.attack.id: <TTP_ID> or meta.attack.id.keyword: <TTP_ID>.

    TTP_ID specificity

    Including meta.attack.id: <TTP_ID> is non-literal, i.e. searching for TA0001 would return entities classified with TA0001 and TA0001:TXXXX. Searching for T1098 would return TA0001:T1098 and TA0011:T1098.

    meta.attack.id.keyword: <TTP_ID> is literal; searching for TA0001 would return entities classified with TA0001. Searching for T1098 would return nothing as it does not exist without a tactic scope.

  3. (Optional) To include multiple classifications, repeat steps 2 and 3, using AND/OR operators between filters.

  4. (Optional) Complete your query with other filters.

  5. Run the query by selecting Search icon.