MITRE ATT&CK matrix coverage

If you want to assess the coverage of the MITRE ATT&CK matrix by your correlation rules:

1. Download the list of MITRE techniques from the official MITRE ATT&CK repository and import it into KUMA.
2. Map MITRE techniques to correlation rules.
3. Export correlation rules to MITRE ATT&CK Navigator.

As a result, you can visually assess the coverage of the MITRE ATT&CK matrix.

Importing the list of MITRE techniques

Only a user with the General Administrator role can import the list of MITRE techniques.

To import the list of MITRE ATT&CK techniques:

1. Download the list of MITRE ATT&CK techniques from the GitHub portal.

   KUMA 3.2 supports only the MITRE ATT&CK technique list version 14.1.

2. In the KUMA web interface, go to the Settings → Other.
3. In the MITRE technique list settings, click Import from file.

   This opens the file selection window.

4. Select the downloaded MITRE ATT&CK technique list and click Open.

   This closes the file selection window.

The list of MITRE ATT&CK techniques is imported into KUMA. You can see the list of imported techniques and the version of the MITRE ATT&CK technique list by clicking View list.

Mapping MITRE techniques to correlation rules

To map MITRE ATT&CK techniques to correlation rules:

1. In the KUMA web interface, go to the Resources → Correlation rules section.
2. Click the name of the correlation rule to open the correlation rule editing window.

   This opens the correlation rule editing window.

3. On the General tab, clicking the MITRE techniques field opens a list of available techniques. For the convenience of searching, a filter is provided, in which you can enter the name of a technique or the ID of a technique or tactic. One or more MITRE ATT&CK techniques are available for linking to a correlation rule.
4. Click Save.

The MITRE ATT&CK techniques are mapped to the correlation rule. In the web interface, in the Resources → Correlation rules section, the MITRE techniques column of the edited rule displays the ID of the selected technique, and when you hover over the item, the full name of the technique is displayed, including the ID of the technique and tactic.

Exporting correlation rules to MITRE ATT&CK Navigator

To export correlation rules with mapped MITRE techniques to MITRE ATT&CK Navigator:

1. In the KUMA web interface, go to the Resources → Correlation rules section.
2. Click the button in the upper-right corner.
3. In the drop-down list, click Export to MITRE ATT&CK Navigator.
4. This opens a window; in that window, select the correlation rules that you want to export.
5. Click OK.

   A file with exported rules is downloaded to your computer.

6. Upload the file from your computer to MITRE ATT&CK Navigator to assess the coverage of the MITRE ATT&CK matrix.

You can assess the coverage of the MITRE ATT&CK matrix.

Page top