Framework Mapping and MITRE ATT&CK® Matrix
Map detections to compliance frameworks in Panther
Overview
Panther supports the ability to track coverage against compliance frameworks by mapping rules, policies and scheduled rules to reports.
In Panther versions 1.37 and newer, you can map detections against MITRE ATT&CK®. This can help you track and visualize coverage, which may be useful for identifying gaps and reporting compliance internally. To learn how to assign Tactic and Technique combos to your detections, see the documentation below.
How to map a detection to a framework
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Click the name of a detection.
On the right hand side of the Framework Mapping section, click Add New.
In Report Key, enter the framework name.
In Report Values, enter the specific framework requirement name.
You can enter multiple report values separated by a comma.
In the upper-right corner, click Update.
How to use the MITRE ATT&CK® feature in Panther
Log in to your Panther Console.
In the left sidebar menu, click Build > MITRE ATT&CK®.
Choose an option from the Matrix drop-down menu in the upper right corner of the page.
Here you will see the number of techniques covered out of the total and the number of active analytics. Each Tactic is represented as a row, and a square represents each technique.
When clicking into a Technique, you will see the Detections or Log Sources that are applicable. Please note the following:
Panther Managed Detections are automatically assigned to applicable Tactic and Technique combos as long as you are using the latest version.
CrowdStrike as a Log Source is automatically assigned to applicable Tactic and Technique combos.
You are able to assign enabled or disabled Detections that have log sources that you have not yet onboarded.
You will need to assign all of your unmanaged rules, policies, and scheduled rules to the respective Tactics & Techniques.
Tactic and Technique possible states
Covered: Confirmed by you as a covered Tactic and Technique combo
Partially Covered:
One or more mapped Panther-managed detection or unmanaged detection
Onboarded Crowdstrike as a log source
Not Relevant: Manually assigned to not be relevant for your environment
Not Covered: No applicable detection or manually assigned
Adding and Editing ATT&CK mappings
There are two ways to assign rules, policies, and scheduled rules to a Tactic and Technique: From the MITRE ATT&CK Matrix or from the detection create/edit workflow.
Note: The actions below require a user with "Manage Rules" permission.
From the MITRE ATT&CK® Matrix:
Select a Tactic and Technique that you would like to map Detections to.
In the component under the Matrix you’ll see a list of already mapped Detections or an empty state.
For new and existing Detections the TacticID:TechniqueID will be automatically assigned after this step.
From the create or edit detection workflow:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Click the name of a detection.
Scroll down to the Framework Mapping section, within the Set Alert Fields tile.
To add a mapping, click Add Report. Configure the fields:
Report Key: Enter
MITRE ATT&CK.Report Values: Enter the TacticID:TechniqueID value.
To remove a mapping, click the trash icon next to the
TacticID:TechniqueID
Using tags to enrich the mapping convention
The Tags field can be used to enrich the detection with more metadata about the Tactic and Technique as you see fit. For example, it may be useful to add the Tactic and Technique as a tag:
In the left-hand navigation bar of your Panther Console, click Build > Detections.
Click the name of a detection.
Scroll down to the Set Alert Fields tile.
Type the tag in the Custom Tags field, then press enter.
In the upper-right corner, click Update.
Identifying the Tactic and Technique ID
You can find the TacticID and TechniqueID in the Panther Console or by visiting the MITRE ATT&CK website.
Last updated
