QRadar rules to MITRE tactics mapping

View Only

Expand all | Collapse all

QRadar rules to MITRE tactics mapping

1. QRadar rules to MITRE tactics mapping

0 Like
Jeffrey Francisco
Posted Tue May 23, 2023 01:27 PM

Reply
Hi,

Is there a mapping for the out of the box or standard Qradar detection rules to respective MITRE tactics/techniques?

I am not sure if IBM has an article/guide relating to this but would appreciate if someone could share some reference on this.

Thanks,
Jeffrey

------------------------------
Jeffrey Francisco
------------------------------
2. RE: QRadar rules to MITRE tactics mapping

1 Like
Gladys Koskas
Posted Tue May 23, 2023 01:38 PM
Edited by Gladys Koskas Tue May 23, 2023 01:38 PM

Reply
Hi Jeffrey
You can view the mapping of all the content (installed and not installed on your box) using the Use Case Manager available on the App Exchange

I am not aware of any guide per say.

I hope this helps

------------------------------
Gladys Koskas
------------------------------

Original Message
3. RE: QRadar rules to MITRE tactics mapping

0 Like
Jeffrey Francisco
Posted Wed May 24, 2023 01:55 AM

Reply
Thanks Gladys! I am working on the use case management document for a client but I'm quite new to QRadar and have yet to install Use Case manager in our environment but will check it out as suggested.

------------------------------
Jeffrey Francisco
------------------------------

Original Message
4. RE: QRadar rules to MITRE tactics mapping

1 Like
Dusan VIDOVIC
Posted Wed May 24, 2023 04:53 AM

Reply
UCM provides a variety of filters, allowing you to focus on the set of rules you are interested in (enabled or not, installed or not, if they came part of a particular extension pack installed, when they were created or modified, etc). Selecting under ATT&CK Actions the option Coverage map and report (top right) and applying the filter on the left side you can also select to focus on rules for which mapping was enabled (True) or not (False); for those that have mapping already enabled, you will see below each of the rules shown in the table the option to uncover the representation of mappings. e.g.:
Clicking into the rule also shows the mapping status, e.g.:

and from there (using the pencil icon) you can edit this (add/change/remove), e.g.:
You can add/change mapping to your rules as well to those that came installed.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message

IBM Security

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

IBM QRadar

QRadar rules to MITRE tactics mapping

Jeffrey FranciscoTue May 23, 2023 01:27 PM

Gladys KoskasTue May 23, 2023 01:38 PM

Jeffrey FranciscoWed May 24, 2023 01:55 AM

Dusan VIDOVICWed May 24, 2023 04:53 AM

1. QRadar rules to MITRE tactics mapping

2. RE: QRadar rules to MITRE tactics mapping

3. RE: QRadar rules to MITRE tactics mapping

4. RE: QRadar rules to MITRE tactics mapping

Additional
Resources

Office

Quick Links

IBM Security

Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity.

IBM QRadar

QRadar rules to MITRE tactics mapping

Jeffrey FranciscoTue May 23, 2023 01:27 PM

Gladys KoskasTue May 23, 2023 01:38 PM

Jeffrey FranciscoWed May 24, 2023 01:55 AM

Dusan VIDOVICWed May 24, 2023 04:53 AM

1. QRadar rules to MITRE tactics mapping

2. RE: QRadar rules to MITRE tactics mapping

3. RE: QRadar rules to MITRE tactics mapping

4. RE: QRadar rules to MITRE tactics mapping

Additional Resources

Office

Quick Links

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

Additional
Resources