Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.3.0 FortiDLP Policies Reference Guide
    8.3.0
    8.3.0
    8.2.1
    8.2.0
    8.1.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    MITRE ATT&CK indicators

    MITRE ATT&CK indicators

    MITRE ATT&CK indicator template parameters enable you to apply the MITRE security framework to detections to ease analysis of observed internal and external threats.

    Custom and out-of-box templates can be configured with indicators that are mapped to MITRE ATT&CK's knowledge base of real-world cyber adversary tactics and techniques. In turn, if policies are violated, detections contain additional contextual information to help identify and mitigate threats. Organizations can also use the MITRE ATT&CK knowledge base to develop specific threat models and methodologies to verify the security status in their environments. Additionally, MITRE's Insider Threat TTP knowledge base, which is a subset of the ATT&CK knowledge base, can serve as a tool for Insider Threat Programs and Security Operations Centers focused specifically on insider actions on IT systems.

    Three template parameters are provided that allow you to associate MITRE ATT&CK tactics, techniques, and sub-techniques with detections. The MITRE ATT&CK website defines these as follows:

    • Tactics: Tactics represent the "why" of an ATT&CK technique or sub-technique. It is the adversary's tactical goal or reason for performing an action. For example, an adversary may want to achieve credential access.
    • Techniques: Techniques represent "how" an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
    • Sub-techniques: Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) Secrets.

    As highlighted in earlier sections of this guide, many templates provide default values for MITRE ATT&CK indicators to save you configuration time. You can either leave the default values selected, select alternative values, or delete them by clicking the icon. If preferred, multiple indicators can be configured per template by clicking the Add indicator button and selecting the desired values.

    MITRE ATT&CK indicator configuration in policy template editor

    When configured, indicators display alongside detections within the FortiDLP Console.They can also be sent in detection payloads to third-party systems, such as Security Information and Event Management (SIEM) tools and webhooks for analysis outside of FortiDLP.

    Detection details panel with MITRE ATT&CK indicators

    For more information about detections in the FortiDLP Console, refer to Detections in the FortiDLP Console User Guide.

    For information regarding third-party integrations, refer to SIEM tools and Webhooks in the FortiDLP Administration Guide.

    Previous
    Next

    MITRE ATT&CK indicators

    MITRE ATT&CK indicators

    MITRE ATT&CK indicator template parameters enable you to apply the MITRE security framework to detections to ease analysis of observed internal and external threats.

    Custom and out-of-box templates can be configured with indicators that are mapped to MITRE ATT&CK's knowledge base of real-world cyber adversary tactics and techniques. In turn, if policies are violated, detections contain additional contextual information to help identify and mitigate threats. Organizations can also use the MITRE ATT&CK knowledge base to develop specific threat models and methodologies to verify the security status in their environments. Additionally, MITRE's Insider Threat TTP knowledge base, which is a subset of the ATT&CK knowledge base, can serve as a tool for Insider Threat Programs and Security Operations Centers focused specifically on insider actions on IT systems.

    Three template parameters are provided that allow you to associate MITRE ATT&CK tactics, techniques, and sub-techniques with detections. The MITRE ATT&CK website defines these as follows:

    • Tactics: Tactics represent the "why" of an ATT&CK technique or sub-technique. It is the adversary's tactical goal or reason for performing an action. For example, an adversary may want to achieve credential access.
    • Techniques: Techniques represent "how" an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.
    • Sub-techniques: Sub-techniques are a more specific description of the adversarial behavior used to achieve a goal. They describe behavior at a lower level than a technique. For example, an adversary may dump credentials by accessing the Local Security Authority (LSA) Secrets.

    As highlighted in earlier sections of this guide, many templates provide default values for MITRE ATT&CK indicators to save you configuration time. You can either leave the default values selected, select alternative values, or delete them by clicking the icon. If preferred, multiple indicators can be configured per template by clicking the Add indicator button and selecting the desired values.

    MITRE ATT&CK indicator configuration in policy template editor

    When configured, indicators display alongside detections within the FortiDLP Console.They can also be sent in detection payloads to third-party systems, such as Security Information and Event Management (SIEM) tools and webhooks for analysis outside of FortiDLP.

    Detection details panel with MITRE ATT&CK indicators

    For more information about detections in the FortiDLP Console, refer to Detections in the FortiDLP Console User Guide.

    For information regarding third-party integrations, refer to SIEM tools and Webhooks in the FortiDLP Administration Guide.

    Previous
    Next