MITRE ATT&CK is natively incorporated into SOC.OS and is the backbone of our correlation engine and reporting capability. As each and every alert is ingested, SOC.OS automatically classifies the alert message and translates this to the MITRE ATT&CK® framework. This not only helps the analyst to better understand the potential attacker’s motivations, but enables a common language to be used across all your alerting tools.
Instead of reading and interpreting the alert message (and all the variations of): “30 failed password access attempts detected in 60 seconds”, SOC.OS interprets and displays this within the tool as the MITRE ATT&CK technique “Brute Force (ID: T1110 LINK TO MITRE)”. The same applies for the plethora of alert messages contained in all your alerts; “1 GiB Outbound detected” is mapped and interpreted as “Automated Exfiltration (ID: T1020)”, and the list goes on. This allows you to report on all the techniques and tactics that your tooling is alerting on, highlighting and providing you with visibility of your MITRE ATT&CK threat coverage based on your current security technology stack.
Natively aligning to MITRE ATT&CK also enhances our correlation capability, as SOC.OS only groups alerts based on whether or not they share similar MITRE ATT&CK threat types. This ensures that, for example, alerts targeting the same part of your network with similar threat types would appear in the same cluster and can be easily examined in one go. An example which brings this to life can be found in our product sheet.
Understand every alert’s MITRE ATT&CK classification
Understand every tool’s MITRE ATT&CK detection capability
Enhance your overall threat coverage visibility and identify gaps