Alert Management
Alert TTPs
Track tactics, techniques, and procedures associated with alerts
Overview
The TTPs (Tactics, Techniques, and Procedures) tab provides a comprehensive view of the MITRE ATT&CK techniques and tactics associated with an alert, helping analysts understand and document adversary behavior.MITRE ATT&CK Integration
Framework Overview
- Enterprise ATT&CK Matrix
- Mobile ATT&CK Matrix
- ICS ATT&CK Matrix
- Pre-ATT&CK Tactics
Mapping Capabilities
- Technique selection
- Sub-technique support
- Tactic categorization
- Confidence scoring
Managing TTPs
Adding Techniques
- Browse or search ATT&CK matrix
- Select relevant technique
- Choose sub-techniques if applicable
- Set confidence level
- Add supporting evidence
Bulk Operations
- Import technique list
- Export TTP mapping
- Bulk update confidence
- Remove multiple techniques
TTP Properties
- Technique ID
- Technique name
- Sub-technique details
- Confidence level
- Supporting evidence
- Detection status
- Mitigation status
Documentation
Evidence Collection
- Observable links
- Screenshot attachments
- Log excerpts
- Analysis notes
Procedure Details
- Implementation specifics
- Tool usage
- Command syntax
- Execution timeline
Analysis Features
Pattern Recognition
- Common technique combinations
- Campaign correlation
- Actor attribution
- Similar incidents
Impact Assessment
- Technique severity
- Asset scope
- Business impact
- Risk scoring
Visualization
Matrix View
- ATT&CK matrix navigation
- Technique highlighting
- Sub-technique expansion
- Coverage mapping
Timeline View
- Technique execution order
- Time-based correlation
- Pattern identification
- Campaign tracking
Best Practices
-
Technique Mapping
- Verify technique matches
- Document evidence clearly
- Set appropriate confidence
- Link to observables
-
Documentation
- Detail procedure specifics
- Include context
- Reference sources
- Update findings
-
Analysis
- Look for patterns
- Compare with known actors
- Assess impact
- Plan mitigations