MITRE ATT&CK Monitor

Last updated: mar 21, 2025

Overview

The Monitor workspace is designed around the MITRE ATT&CK framework and provides a centralized view of the organization's security posture.

The tabs across the top of the Monitor screen allow users to analyze data through five views: Events, Incidents, Technique Patterns, Artifacts, and Map View. The following screenshot shows the MITRE ATT&CK matrix view for Events.

MITRE ATT&CK Matrix

All potential threats in the Events & Incidents tabs are categorized in a MITRE ATT&CK matrix view based on their framework found, underlined in ATT&CK Matrix for Enterprise. This view highlights large-scale attacks at a glance and helps users identify critical threats that require immediate attention.

The Tactics row visualization provides a high-level overview of the organization's security posture. It helps users quickly identify threat volume and technique activity trends over a selected time period. Users can also create custom tactics, techniques, and search conditions for more refined categorization, which are covered later in this document.

Customize the Monitor Dashboard view using the toggles in the upper-right corner, below site selection. These toggles allow users to expand sub-techniques, show only open events, and enable or disable MITRE tactics.

Techniques & Sub-Techniques

Techniques and sub-techniques below the Tactics section display event counts and change velocity. By default, sub-techniques are hidden. Expand a technique to view its underlying sub-techniques. Click a tactic, technique, or sub-technique to configure search criteria.

Events

Clicking on a specific Tactic or Technique from the MITRE ATT&CK matrix view will reveal a list of all underlying events. All events in the events list are sorted by their time of occurrence, and the time they were ingested into the platform. Select an event to investigate it. Then escalate the event to an incident or dismiss it.

Creating a New Tactic

The Monitor workspace is fully customizable and adaptive to the user's environment. Users can create a tactic to support investigations.

1. Hover over a Tactic and click on ▼

2. Select Insert Tactic on Right (or Insert Tactic on Left) from the dropdown menu.

3. In the New Tactic window, enter the following details:

   1. Tactic Name

   2. Description

READER NOTE

Add procedure information for a MITRE tactic and technique under the Group and Software sections.

4. Click Save.

Creating a New Technique and Procedure

After creating a tactic, add a technique under it. Optionally, add procedure information for the technique.

Hover over a Tactic and click on ▼. Select Add Technique from the dropdown menu.
In the New Technique window, enter the following details: Technique Name Description Mitigation Detection Group Software READER NOTE Add procedure information for a MITRE tactic and technique under the Group and Software sections. Click Save.

Creating a Technique Search Criteria

Add search criteria to system or custom tactic-technique-procedures. The search criteria determine an event's TTP label during ingestion. After criteria are created, newly ingested events that match the criteria are labeled with the corresponding TTP.

The example below outlines the steps to add a search criteria to the Spearphishing Link technique for Office 365 ATP alerts.

In this example, Office 365 ATP alerts are being automatically ingested to D3 to create an Event. The search criteria will be looking for a Spearphishing Link Event that generally has the description in the Email Subject as "A potentially malicious URL click was detected."

To map all new email alerts of this type to the Spearphishing Link technique:

1. Expand Phishing for Information under the Reconnaissance Tactic in the Events tab.

2. Hover over the Spearphishing Link Technique and click on ⓘ to open up the Search Criteria editor.

3. Click + Create a New Search.

4. In the New Search window:

   Search Name: Enter a name for the Integration.

   Example - Office 365 Email Alerts

   
   

   (Optional) Description: Enter a short description for this query.

   Example - Malicious URL Clicks captured by Office 365

   
   

   Risk Level: Set the risk level for this query.

   Example - High

5. Click + Add Search Condition
   In the Add Search Condition window:

   1. Click on the Field dropdown and select Email Subject

   2. For the Operator dropdown, select CONTAINS.

   3. Type "A potentially malicious URL click was detected" into the Value input field.

6. After adding all search queries, click the + Add button.

READER NOTE

The observable condition operators are dependent on the event field type selected.

7. Review all the search queries in the New Search window, then click Save.

8. Activate this new search query by enabling the Active toggle.

Viewing and Editing a Technique Search Criteria

View the search criteria for existing techniques by clicking ⓘ on a technique card. This view provides visibility into the criteria used to surface events.

Edit or enable and disable existing search criteria. Clicking the pencil icon opens the same Search Query window described earlier.

Incidents

The second tab provides the MITRE ATT&CK framework from the incident perspective. In this view, the displayed threats have been validated by users or automated event escalation rules.

Click a tactic or technique in this view to display the underlying incidents. Select an incident from the list to investigate it.

Investigating an Incident

Selecting an incident from the list opens the Incident Workspace, which provides the tools required to respond to an incident in one place.

For more information on this workspace, refer to Incident Workspace.

Technique Patterns

The Technique Patterns tab groups events based on the specific search criteria that were used to tag the event with the appropriate tactics and techniques. Use the condensed view to quickly identify attack patterns and frequency. Technique Patterns relevant to specific incidents can also be accessed in the Incident Workspace.

Technique Pattern Details

Click a technique pattern from the list to open the Technique Pattern Details window, where users can view additional details about the selected pattern and its associated events. Two key views are available in Technique Pattern Details.

1. Overview: Provides all relevant information for the selected technique pattern.

2. Related Events: Provides a list of all instances where the selected Technique Pattern appears in an event. Clicking on an event will expand to an Events Details window.

Artifacts

The Artifacts tab displays artifacts extracted from the events shown in the Events tab. Users can sort artifacts by importance level, such as identifying high-profile artifacts like critical servers. Artifacts related to specific incidents can be accessed in the Incident Workspace.

Viewing Artifact Details

Click an artifact from the list to open the Artifact Details window, where users can view additional details and associated events. Artifact Details contains five tabs.

1. Overview: Displays all relevant information for the selected Artifact.

2. Related Events: Provides a list of all instances where the selected artifact appears in an event. Clicking on an event will open the Event Details window.

3. Related Incidents: Provides a list of all instances where the selected artifact appears in an incident. Clicking on an incident will open the related Incident Workspace.

State: If the artifact has been updated or changed, the State will display a history of said changes.

Reputation: Provides a historical record of the reputation for the selected Artifact. This is useful to detect changes in an Artifact.

Artifacts can be exported in STIX 2.1 format, as a JSON file type. Use the share icon located at the top right corner of the artifacts detail window.

Map View

The Map View tab provides a visual representation of surfaced and high-risk threats. This view allows users to map connections between artifacts and potential adversarial groups by geographic location.

Required Setup

The following conditions must be met in order to have IP and host domains displayed in map view.

1. The required setup includes:

   1. ipstack Integration: A connection to the ipstack integration must be established on the target site. For detailed steps, refer to the ipstack integration guide.

   2. Field Mappings: Ensure that the field mappings for the data source Fetch Event commands are configured correctly. The IP addresses in the raw data must be linked to the External Endpoint artifact type.
      In the field mapping settings for each data source, map the JSON paths of these IP addresses to one of the following default fields: Destination hostname, Destination IP address, Source hostname, Source IP address, Device, Device IP address, Source Device, Source Device IP address, Destination Device and Destination Device IP address. This will link the associated IPs with the External Endpoint artifact type.

2. Alerts with IP or host domain information are ingested into D3 as events.

3. With the corresponding field mappings in place, the system automatically checks the IP geolocation in ipstack upon ingesting events from the configured data sources.

4. If ipstack returns an IP geolocation, it will be displayed on the map.

Using Map View

The map provides a geographic view of artifacts associated with the built-in External Endpoint artifact type for the selected site. Use the following options to navigate the map view:

1. Selecting a Site: To choose a site, find the dropdown menu positioned at the top-right.

2. Identifying Clusters: Concentrated areas with events or artifacts are marked with highlighted circles. These circles vary in color - green represents low threat density, while red indicates a higher concentration. Yellow serves as an intermediary alert.

3. Zooming In and Out: Use the mouse scroll wheel or the zoom controls on the left side of the map for a closer or broader view.

4. Accessing Detailed Views: Click a pin to open the detailed page for the associated artifact or event.

5. Using Tactic & Technique Filters: Filter displayed artifacts through the Tactic and Technique dropdowns to see those associated with specific MITRE tactics and techniques.