MITRE ATT&CK Integration
800+ threat techniques with automatic classification, filtering, and configuration management.
Overview
CastellanAI integrates the MITRE ATT&CK framework to provide standardized threat technique classification and mapping. The system includes 800+ techniques across all tactics, enabling comprehensive threat intelligence and attack pattern analysis.
Security events are automatically mapped to MITRE ATT&CK techniques, providing context for threat hunting, incident response, and security analytics.
What is MITRE ATT&CK?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
| Metric | Count |
|---|---|
| Techniques | 800+ |
| Tactics | 14 |
| Groups | 100+ |
ATT&CK Tactics
The framework organizes adversary behavior into 14 tactical categories:
| Tactic | Description |
|---|---|
| Reconnaissance | Gathering information for planning attacks |
| Resource Development | Establishing resources for operations |
| Initial Access | Getting into the target network |
| Execution | Running malicious code |
| Persistence | Maintaining foothold |
| Privilege Escalation | Gaining higher-level permissions |
| Defense Evasion | Avoiding detection |
| Credential Access | Stealing credentials |
| Discovery | Figuring out the environment |
| Lateral Movement | Moving through the network |
| Collection | Gathering data of interest |
| Command and Control | Communicating with compromised systems |
| Exfiltration | Stealing data |
| Impact | Disrupting availability or integrity |
Viewing MITRE Techniques
Accessing the MITRE ATT&CK Page
Navigate to Threat Intelligence in the top navigation bar to access the MITRE ATT&CK techniques database. You can also access it from Settings → MITRE Techniques.
Statistics Dashboard
At the top of the page, a statistics card shows:
- Total Techniques - Number of techniques in the database
- Last Updated - When the database was last refreshed
- Cache Status - Indicates when data is cached for fast loading
Searching and Filtering
The page provides powerful filtering options:
| Filter | Options |
|---|---|
| Search | Search by technique ID, name, or description |
| Tactic | Filter by any of the 14 tactics |
| Platform | Windows, Linux, macOS, Network, Cloud, Mobile |
Technique Cards
Each technique displays:
- Technique ID - The official MITRE identifier (e.g., T1059.001)
- Name - Human-readable technique name
- Tactic - Which tactical category it belongs to (color-coded)
- Description - Brief overview of the technique
- Platforms - Which platforms the technique targets
Technique Details
Click any technique card to view complete details in a modal:
- Tactic - The tactical category with color badge
- Platforms - All targeted platforms
- Added to Database - When the technique was imported
- Description - Full technique description
- Data Sources - Where to look for evidence of this technique
- Mitigations - How to defend against this technique
- Examples - Real-world usage examples
- Associated Applications - Applications linked to this technique
Integration Features
Automatic Classification
Security events are automatically mapped to MITRE ATT&CK techniques using:
- Rule-based detection - Windows Event IDs mapped to specific techniques
- AI analysis - Pattern matching for technique identification
- Behavioral correlation - Multi-event analysis for technique chains
Security Event Integration
When viewing security events:
- MITRE techniques appear as purple badges on each event
- Click techniques to see detailed information
- Filter events by specific techniques
Detection Rules Integration
Detection rules can be mapped to MITRE techniques:
- Each rule shows associated ATT&CK techniques
- Create rules targeting specific techniques
- Track coverage across the ATT&CK matrix
Managing the MITRE Database
Importing Techniques
The MITRE database can be imported and updated from the official MITRE ATT&CK source.
- Navigate to Settings → MITRE Techniques
- Click Import Techniques
- Wait for the import to complete (imports 800+ techniques)
Auto-Update Configuration
Configure automatic updates to keep your database current:
- Go to Settings → MITRE Techniques
- Enable Auto-Update
- Set the update frequency (default: 30 days)
- The system will automatically check for new techniques
Common Use Cases
Threat Hunting
Search for specific attack techniques across your security event history to proactively identify potential threats and compromises.
Example workflow:
- Go to Threat Intelligence
- Filter by tactic (e.g., "Credential Access")
- Review techniques like T1110 (Brute Force)
- Search Security Events for events matching these techniques
Incident Response
Understand the full scope of an attack by identifying all techniques used by an adversary during an incident.
Example workflow:
- Open a security event detail
- Note the MITRE techniques listed
- Search for related techniques in the same tactic
- Look for technique chains indicating attack progression
Security Analytics
Analyze attack patterns over time to identify trends, common techniques, and areas requiring additional security controls.
Detection Engineering
Build and validate detection rules mapped to specific MITRE techniques to ensure comprehensive coverage of adversary behaviors.
Example workflow:
- Identify gaps in your ATT&CK coverage
- Go to Detection Rules
- Create rules targeting uncovered techniques
- Map each rule to its MITRE technique
Common Techniques Monitored
CastellanAI provides built-in detection for these commonly observed techniques:
| Technique ID | Name | Tactic |
|---|---|---|
| T1059.001 | PowerShell | Execution |
| T1078 | Valid Accounts | Initial Access |
| T1110 | Brute Force | Credential Access |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1053.005 | Scheduled Task | Persistence |
| T1543.003 | Windows Service | Persistence |
| T1486 | Data Encrypted for Impact | Impact |
| T1562.001 | Disable Security Tools | Defense Evasion |
| T1003 | OS Credential Dumping | Credential Access |
Pagination
The techniques database supports pagination:
- 25 techniques per page
- Navigate between pages using Previous/Next buttons
- Shows current position (e.g., "Showing 1 to 25 of 823 techniques")
MITRE ATT&CK Resources
Learn more about the MITRE ATT&CK framework:
Related Documentation
- Event Monitoring - View security events with MITRE mappings
- Threat Detection - How threats are detected and classified
- Malware Scanning - File-based threat detection