Updated 1 month ago by Elvis Hovor

The ATT&CK repository is a constantly updated knowledge base of behaviors observed most frequently in the wild, which can be extremely useful for detection, prioritization and analysis of security incidents. Resource-strapped teams can find it challenging to leverage the full power of the ATT&CK knowledge base in mission critical workflows, so TruSTAR makes it easier to overlay adversarial behavior and context onto reports and IOCs in TruSTAR. 


As part of TruSTAR’s suite of intelligence management capabilities, you can now:

  • Accelerate Prioritization & Resolution: TruSTAR automatically correlates all alerts, cases and indicators that share ATT&CK TTP’s. This helps you quickly uncover linkages in adversarial behavior, actors, malwares and IoC and prioritize response actions.
  • Move Up the Pyramid of Pain: By linking IP’s, malware hashes and other observables with ATT&CK TTP’s, you can take more holistic action rather than just blocking and tackling on individual data points. You can also map ATT&CK TTP’s with resolved cases and create a library of cases organized by ATT&CK.
  • Assess Operational Controls: By using data available from TTP trends computed from premium intelligences sources and submissions to TruSTAR, you can be more data-driven in assessing gaps in operational controls and make appropriate adjustments to increase coverage of your organization's attack surface.

Using the Mitre ATT&CK Framework

You can take the following actions to enrich and categorize your reports and indicators with the ATT&CK knowledge base:

  • Create MITRE ATT&CK tags in reports
  • Create MITRE ATT&CK tags for IOCs
  • Filter Reports or IOCs by MITRE ATT&CK

Creating MITRE ATT&CK Tags for Reports

You can tag your internal reports with MITRE ATT&CK tactics or techniques by clicking the MITRE ATT&CK tab in the Tags section on the reports view page.

Selecting the MITRE ATT&CK tab enables you to select the tactics or techniques to associate to the report. You can select multiple tactics or techniques to associate to each report.

If you select to tag a report or indicator by a technique, the associated tactic will also be added as a tag.

MITRE ATT&CK tags will show in the tags section of the report after you save changes. All MITRE tags are preceded by "mitre/" to help differentiate it from other report tags

Currently, you can only tag internal reports with MITRE ATT&CK tags. You cannot tag open any reports stored in Intelligence Source enclaves.

Creating MITRE Tags for IOCs

Similar to the tagging of reports, you can assign MITRE ATT&CK tags to IOCs. You can search or choose IOCs on the graph, then assign them MITRE ATT&CK tags.

Filtering MITRE Tags

In the reports and IOCs list panel, you can filter by MITRE ATT&CK tags to view only reports and indicators associated with a specific MITRE ATT&CK tag.

TruSTAR is making continual updates to the MITRE ATT&CK framework. We welcome questions and feedback on improvements. Please don’t hesitate to send us a quick note here.

How Did We Do?