IBM Security QRadar

 View Only

Get a new perspective on your Mitre Mapping

By Gladys Koskas posted Fri January 27, 2023 09:05 AM


Hi guys

I wanted to talk with you about a platform where you can look at the Mitre mapping of the QRadar content with another view. The platform I am talking about is Tidal (Tidal website).

What Tidal allows you to do is to pivot in the att&ck matrix in many ways, highlighting where you might want to increase your detection coverage for specific threats.

As an example, you can select the specific threats you want to monitor and they will be highlighted with a colour coding that makes it easy to understand the techniques you should focus on in priority to be efficient. 

In the example below, you can instantly see that "Data Encrypted for Impact" is a technique common to 4 out of the 6 threats I selected. In this case, this technique and the techniques leading to it should probably be higher in the list of priorities for detection / prevention implementation.

All the information available on the Mitre website is also available in Tidal UI, avoiding back and forth while trying to understand what each technique is about and how to detect it.

You might have noticed an information that doesn't appear on the Mitre website... The vendors list ! 
A really cool feature of Tidal is that you can filter on a vendor to see all the techniques that are covered, and compare it to the techniques used by a specific threat !

Personally, I find that really cool, the tool is easy to use and the colours make it super clear. For sure we will be using this functionality to understand where our coverage should be expanded.
If you want to know more about our position with Mitre and our detection strategy in general, I invite you to watch the Tidal interview of our Threat Management CTO, Jason Keirstead, here on youtube.

I wanted to share this tool with you, hoping it will help you find the content extensions you want to install. See below how I dug into the "Remote Desktop Protocol" technique to find that QRadar covers that technique in 4 different content extensions (including my go-to, the Endpoint Content Extension ;) )

I hope you'll find this helpful and that it will make your coverage easier to understand. 
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.


1 comment



Wed February 01, 2023 07:11 AM

thanks for sharing! great tool, something our TDI can try to implement in their portfolio